EU Digital Markets Act (DMA): Complete Guide to Gatekeeper Obligations, Enforcement & Compliance

What Is the EU Digital Markets Act?

The EU Digital Markets Act (Regulation 2022/1925) represents the European Union's most ambitious effort to regulate Big Tech competition. Officially titled the "Regulation on contestable and fair markets in the digital sector," the DMA creates a comprehensive framework of obligations and prohibitions specifically targeting the largest digital platforms — those the regulation designates as gatekeepers.

Adopted by the European Parliament on July 5, 2022, and by the Council on July 18, 2022, the DMA was signed into law on September 14, 2022, and entered into force on November 1, 2022. Following a structured implementation timeline, gatekeepers had until March 6, 2024, to comply with all provisions. The regulation was published in the Official Journal of the European Union (OJ L 265) on October 12, 2022.

Unlike traditional competition law, which typically requires lengthy ex-post investigations to prove market abuse, the DMA takes an ex-ante regulatory approach. It defines in advance what designated gatekeepers can and cannot do, creating clear, enforceable rules rather than relying solely on case-by-case enforcement. This shift from reactive to proactive regulation marks a paradigm change in how Europe governs its digital economy.

The DMA was proposed alongside the Digital Services Act (DSA) as part of the European Commission's broader digital strategy — "Shaping Europe's Digital Future." Together, these twin regulations form the cornerstone of the EU's approach to making the digital economy fairer, safer, and more competitive. While the DSA focuses on illegal content and platform responsibility, the DMA specifically targets market power and fair competition.

Why the DMA Was Needed: Market Context

European digital markets face extreme levels of concentration. Google controls approximately 95% of the EU search market. Facebook dominates social networking with a 90% share. Amazon captures 60% of e-commerce market revenues. Google Chrome holds 60% of the browser market, while Android and iOS together account for nearly 100% of mobile operating systems. These figures illustrate the "winner-takes-most" dynamic that characterizes digital platform markets.

This concentration stems from powerful structural forces: economies of scale on the supply side, strong network effects on the demand side, data-driven competitive advantages, high barriers to entry, and the development of conglomerate ecosystems where dominant platforms leverage their position across multiple sectors. These dynamics create what regulators call "gatekeepers" — companies that control critical access points between businesses and consumers.

Existing EU competition law, primarily Articles 101 and 102 of the TFEU, proved insufficient. Traditional antitrust enforcement takes years — the European Commission's landmark cases against Google spanned from 2010 to 2019, during which time market positions only consolidated further. The DMA was designed to address these structural gaps with rules that apply before harm occurs, not after.

The regulation reflects years of enforcement experience. The German Federal Cartel Office's 2019 case against Facebook's data combination practices, the European Commission's €4.3 billion fine against Google for Android bundling, and investigations into Apple's App Store commission structure all informed the DMA's specific obligations. The regulation effectively codifies the lessons learned from a decade of digital antitrust enforcement into binding, forward-looking rules.

Gatekeeper Designation: Criteria and Thresholds

The DMA establishes a clear, two-track system for designating gatekeepers. Companies that meet specific quantitative thresholds are presumed to be gatekeepers, though they may attempt to rebut this presumption. The European Commission can also designate companies through qualitative market investigations even if quantitative thresholds are not met.

Quantitative Thresholds (Article 3)

A company is presumed to be a gatekeeper if it meets all three of the following criteria:

Companies meeting these thresholds must self-notify the European Commission within two months of the regulation becoming applicable. The Commission then has 45 working days to make a formal designation decision. As of September 2023, six companies have been designated: Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft — covering 22 distinct core platform services.

Qualitative Designation (Article 17)

Even if a company does not meet the quantitative thresholds, the Commission can designate it as a gatekeeper through a market investigation lasting up to 12 months. This qualitative assessment considers factors including: the size of the platform's user base, network effects, data-driven advantages, scale and scope economies, business user lock-in, and conglomerate corporate structure. This provision ensures that the regulation adapts to evolving market conditions and cannot be easily circumvented by structuring below the numerical thresholds.

Core Platform Services Defined

The DMA applies to eight categories of core platform services (CPS), each representing a sector where gatekeeper power can distort competition and restrict market contestability:

1. Online intermediation services — App stores (Google Play, Apple App Store), marketplaces (Amazon Marketplace), and other intermediation platforms
2. Online search engines — Including Google Search, the dominant player with ~95% EU market share
3. Social networking services — Facebook, Instagram, LinkedIn, and TikTok
4. Video-sharing platform services — YouTube and similar platforms
5. Number-independent interpersonal communications services — WhatsApp, Messenger, and similar messaging platforms
6. Operating systems — Android, iOS, iPadOS, and Windows
7. Web browsers — Chrome and Safari
8. Online advertising services — Including Google Ads, Amazon advertising, and Meta's advertising platform

Apple's iPadOS was initially excluded as it did not meet the quantitative thresholds. However, following a market investigation completed in April 2024, the Commission designated iPadOS as a gatekeeper core platform service, citing its importance as a "gateway for business users to reach end users." Microsoft's Bing, Edge, and Microsoft Advertising, as well as Apple's iMessage, were investigated but ultimately not designated as gatekeeper services in February 2024, as they did not meet the required thresholds.

This framework has clear parallels with the EU AI Act's risk-based classification system. Just as the AI Act categorizes AI systems by risk level, the DMA categorizes digital services by their competitive significance — applying the most stringent rules to those with the greatest market impact.

Article 5: Direct Obligations for Gatekeepers

Article 5 contains obligations that apply directly and unconditionally to all designated gatekeepers, with no room for case-by-case tailoring. These are the "hard" rules — clear prohibitions and requirements that take effect immediately upon designation.

Data Combination Ban (Article 5(2))

Gatekeepers cannot combine personal data from their core platform service with data from other services (whether their own or third-party) without explicit GDPR-compliant consent. They cannot cross-use personal data across their different services or sign users into other services to combine data. If a user refuses consent, the gatekeeper cannot ask again for one year. This directly addresses practices like Meta's combination of Facebook and WhatsApp user data, which the German Federal Cartel Office ruled illegal in 2019.

Anti-Parity Clause (Article 5(3))

Gatekeepers cannot prevent business users from offering different prices or conditions on other platforms or their own sales channels. A hotel listed on a gatekeeper's platform can offer lower prices on its own website. An app developer can sell subscriptions cheaper outside the gatekeeper's app store. This dismantles the "most favored nation" clauses that platforms like Amazon imposed on e-book publishers and that travel platforms like Booking.com required from hotels.

Free Communication and Contracting (Articles 5(4)-(5))

Business users must be allowed to freely communicate offers to customers acquired through the gatekeeper's platform and conclude contracts with them outside the platform, at no charge. End users must be able to access content and subscriptions they purchased from a business user, even if bought outside the gatekeeper's ecosystem. This strikes at the heart of practices like Apple's restrictions on developers communicating alternative payment options to iOS users.

No Forced Bundling (Articles 5(7)-(8))

Gatekeepers cannot require business or end users to use the gatekeeper's identification service, browser engine, or payment system. They also cannot force subscription to additional core platform services as a condition for using one. This tackles practices like Google's requirement that Android device manufacturers pre-install the full Google services suite, which led to the €4.3 billion fine in 2018.

Advertising Transparency (Articles 5(9)-(10))

Gatekeepers providing online advertising must give advertisers and publishers daily, free access to pricing and performance data — including the prices paid by advertisers, remuneration received by publishers, and the metrics used for calculation. This transparency requirement addresses the longstanding opacity in digital advertising intermediation, where platforms controlled both sides of the transaction without revealing margins.

Article 6: Obligations Subject to Further Specification

Article 6 contains twelve additional obligations that can be further specified by the Commission under Article 8's regulatory dialogue process. While still binding, their implementation may be tailored through discussion between the Commission and individual gatekeepers.

No Commercial Data Misuse (Article 6(2))

Gatekeepers cannot use non-public data generated by business users on their platform to compete against those same business users. This directly addresses concerns about Amazon using marketplace seller data to develop competing private-label products — a practice identified in multiple competition investigations.

Software Freedom (Articles 6(3)-(4))

End users must be able to easily uninstall any pre-installed software (except apps essential for OS/device functioning) and change default settings for search engines, virtual assistants, and browsers. Gatekeepers must allow the installation of third-party app stores and sideloading of apps from sources outside their own store. Users must be prompted with a choice screen at first use, presenting alternative providers. This fundamentally reshapes the mobile ecosystem — within the first month of enforcement, independent browsers like Aloha, Vivaldi, Ecosia, and Brave saw EU user numbers spike by up to 250%.

No Self-Preferencing (Article 6(5))

Gatekeepers must not treat their own services more favorably in ranking and related indexing than comparable third-party services. Ranking conditions must be transparent, fair, and non-discriminatory. This codifies the principle established in the European Commission's €2.4 billion Google Shopping decision, where Google was found to systematically favor its own comparison shopping service in search results.

Interoperability and Data Access (Articles 6(7)-(11))

Gatekeepers must provide free, effective interoperability with their operating system and hardware features. End users must receive effective data portability with continuous, real-time access tools. Business users must receive high-quality, real-time access to data generated through the platform. Search engines must share ranking, query, click, and view data with competitors on fair, reasonable, and non-discriminatory (FRAND) terms. These provisions aim to reduce lock-in effects and enable new entrants to compete effectively.

Understanding how these interoperability requirements work alongside other EU regulations is critical. The EU AI Act regulation framework creates complementary requirements for AI systems that often operate within these same gatekeeper platforms, creating a layered compliance landscape that businesses must navigate.

Article 7: Messaging Interoperability Requirements

Article 7 introduces one of the DMA's most technically ambitious provisions: mandatory interoperability for messaging services. Designated number-independent interpersonal communications services (primarily WhatsApp and Messenger) must make their basic functionalities interoperable with competing messaging providers, upon request and free of charge.

Phased Implementation Timeline

The interoperability requirements follow a graduated timeline:

Security Preservation

Crucially, the DMA mandates that the level of security — including end-to-end encryption — must be preserved across interoperable services. Gatekeepers must publish a reference offer detailing technical specifications and security levels. Any provider can request interoperability, and the gatekeeper must comply within three months. End users remain free to choose whether to use interoperable features, ensuring no one is forced into cross-platform communication they don't want.

This requirement generated significant technical debate. Critics argue that maintaining end-to-end encryption across different messaging protocols is extremely challenging. Proponents counter that the phased timeline gives platforms adequate time to develop secure solutions, and that interoperability is essential to breaking messaging monopolies.

Enforcement, Penalties and Structural Remedies

The DMA establishes a centralized enforcement model with the European Commission as the sole enforcer, supported by national authorities and a high-level advisory group. This design avoids the fragmentation that could result from 27 different national approaches.

Penalty Structure (Article 30)

The DMA's penalty regime is among the most severe in EU regulatory history:

• First non-compliance: Fines up to 10% of worldwide annual turnover
• Repeated infringement: Fines up to 20% of worldwide annual turnover
• Periodic penalty payments: Up to 5% of average daily worldwide turnover per day of non-compliance (Article 31)
• Providing incorrect information: Fines up to 1% of worldwide annual turnover

For context, 10% of Alphabet's 2024 annual revenue (~$350 billion) would be approximately $35 billion — making DMA fines potentially the largest regulatory penalties ever imposed on any company. This dwarfs the previous record EU antitrust fines and creates genuine deterrence.

Structural Remedies (Article 18)

In cases of systematic non-compliance — where a gatekeeper violates obligations under Articles 5, 6, or 7 at least three times within eight years — the Commission can conduct a market investigation and impose structural remedies. This includes the power to order the divestiture (break-up) of parts of the business, a remedy never before available in EU competition law. The Commission can also prohibit acquisitions in the relevant sector for a defined period.

Compliance Function (Article 28)

Gatekeepers must establish an independent compliance function composed of compliance officers who are independent from the company's operational management. This internal oversight mechanism ensures ongoing attention to DMA obligations beyond mere initial implementation.

Anti-Circumvention (Article 13)

The DMA explicitly prohibits gatekeepers from engaging in any behavior that undermines the objectives of the regulation, regardless of whether that behavior takes contractual, commercial, technical, or any other form. This catch-all provision prevents creative workarounds that comply with the letter but not the spirit of the law — a lesson learned from years of competition enforcement where companies found technical loopholes.

DMA Compliance in Practice: Current Enforcement

Since the March 2024 compliance deadline, enforcement has moved from theory to practice. The European Commission has opened multiple non-compliance investigations, particularly targeting Apple's App Store practices and Google's search self-preferencing.

Early evidence suggests the DMA is already reshaping digital markets. The mandated browser choice screens led to a 250% increase in EU users for alternative browsers in the first month after enforcement. App developers gained new ability to direct users to external payment channels. Advertising transparency requirements exposed previously hidden fee structures in programmatic advertising.

However, compliance remains contested. Apple's implementation of app sideloading in the EU has been criticized as overly restrictive, with a "Core Technology Fee" that critics argue undermines the regulation's intent. Google's compliance with the self-preferencing ban has been questioned, with competitors arguing that the company's auction-based placement system doesn't create genuine equal treatment. These disputes will likely define DMA enforcement for years to come.

The impact extends beyond Europe. The DMA has inspired similar regulatory efforts worldwide — Japan's Transparency Act, South Korea's Telecommunications Business Act amendments, and discussions in the US Congress about platform regulation all draw on DMA concepts. As noted in the WEF Global Risks Report 2025, digital governance fragmentation is itself becoming a systemic risk that businesses must navigate.

DMA vs. EU AI Act: How They Work Together

The DMA and the EU AI Act form complementary pillars of Europe's digital governance architecture. While they address different concerns, their interaction creates a comprehensive regulatory framework for digital platforms.

The DMA addresses market structure — ensuring that dominant platforms don't abuse their gatekeeping position to foreclose competition. The AI Act addresses technology risks — ensuring that AI systems deployed across these platforms meet safety, transparency, and fundamental rights standards. A company like Google faces DMA obligations regarding search ranking fairness and AI Act obligations regarding the AI systems powering those rankings.

For businesses operating in the EU digital ecosystem, understanding both regulations is essential. The DMA creates new opportunities — sideloading rights, data portability, and advertising transparency open doors for competitors and business users. The AI Act creates new compliance obligations for anyone deploying AI. Together, they define the rules of engagement for digital markets in Europe and, increasingly, globally.

The broader regulatory landscape continues to evolve. The Stanford AI Index 2025 documents the accelerating pace of AI regulation worldwide, with the EU's approach serving as a reference model for regulators from Tokyo to Washington. Companies that invest in understanding and complying with these frameworks now will be best positioned as regulation intensifies.