EU Digital Markets Act | Gatekeeper Rules Explained

Introduction to the EU Digital Markets Act

The European Union’s Digital Markets Act (Regulation 2022/1925) represents one of the most ambitious regulatory interventions in the history of digital platform governance. Proposed by the European Commission in December 2020 and reaching political agreement in March 2022, the DMA establishes a new regulatory paradigm: shifting from traditional ex post competition enforcement — where regulators investigate and penalize anti-competitive behavior after it occurs — to ex ante obligations that preemptively constrain the conduct of large digital platforms designated as gatekeepers.

The regulation is rooted in the European Commission’s Digital Single Market (DSM) strategy, first outlined in 2015, which identified the fragmentation of Europe’s digital economy as a critical barrier to competitiveness. The Commission estimated that completing the DSM could generate €415 billion from removing regulatory barriers, with an additional €92 billion anticipated from decreased internal market fragmentation. The costs of an incomplete Digital Single Market were estimated by the European Parliament Research Service at €36 to €75 billion per annum — figures that underscored the urgency of regulatory action.

The DMA’s stated objectives are to foster fair competition and contestability in digital markets by laying down harmonized rules that apply uniformly across EU member states. For organizations operating in the European digital economy, whether as gatekeepers, business users, or technology providers, understanding the DMA’s provisions is essential for strategic planning and compliance. This analysis draws on the regulation text and scholarly analysis to provide a comprehensive overview of the DMA’s architecture, obligations, and implications. Readers seeking interactive explorations of related regulatory frameworks can find them in our interactive library.

Gatekeeper Designation: Criteria and Paradoxes

The DMA introduces the concept of the “gatekeeper” — a large platform that serves as an important intermediary between business users and end users for core platform services. Designation as a gatekeeper triggers the full suite of DMA obligations and prohibitions, making the criteria for designation critically important for the regulation’s scope and impact.

Gatekeeper designation is based on size thresholds and qualitative criteria. However, the DMA makes a fundamental departure from traditional competition law by explicitly stating that designated gatekeepers “are not necessarily dominant in competition-law terms” (Recital 5). This means that the regulation does not define relevant markets and disregards the concept of market dominance — a cornerstone of European and global antitrust enforcement for decades.

This approach creates what analysts have identified as the DMA’s core paradox: companies with lower market share may be regulated while competitors with higher market share remain exempt. The most striking example involves music streaming, where Apple Music (with approximately 15% market share) qualifies as a gatekeeper through its connection to the iOS ecosystem, while Spotify (with approximately 31% market share) does not meet the gatekeeper criteria as a standalone service. This paradox extends across multiple sectors, where the regulation may “treat market challengers more stringently than it does incumbents.”

The implications for competition dynamics are significant. Rather than leveling the playing field between large and small platforms, the DMA’s designation criteria may inadvertently constrain the competitive behavior of certain platforms while leaving their direct competitors free to engage in the same practices without regulatory oversight.

Core Platform Services Under the DMA

The DMA applies specifically to “core platform services” — a defined category of digital services that gatekeepers provide and through which they intermediate between business users and end users. Article 2(2) identifies these services as online intermediation services (such as app stores and marketplaces), operating systems, online search engines, online social networking services, and software application stores.

Each category of core platform service carries specific obligations that reflect the particular competitive concerns associated with that type of service. For operating systems like iOS and Android, obligations focus on interoperability, sideloading, and preventing the leveraging of operating system control into adjacent markets. For app stores, the emphasis is on fair access conditions, transparent ranking criteria, and preventing self-preferencing in search results and recommendations.

The scope of core platform services has practical implications for how gatekeepers must restructure their businesses. Because the DMA treats each core platform service as a separate regulatory unit, a company like Google or Apple that operates multiple core platform services faces cumulative obligations that compound across their service portfolio. This creates significant compliance complexity, particularly when obligations for one service conflict with obligations or practices for another.

For business users — companies that rely on gatekeepers’ platforms to reach consumers — the DMA’s core platform service framework creates new rights and protections. These include data portability, fair access conditions, and protection against arbitrary changes to terms of service. Understanding which platform services qualify under the DMA is therefore essential for businesses seeking to leverage these protections in their relationships with digital platform providers.

Key Obligations for Digital Gatekeepers

The DMA imposes two categories of obligations on designated gatekeepers: self-executing obligations under Article 5 that require no further specification, and obligations under Article 6 that may be further specified by the European Commission through regulatory dialogue with the gatekeeper.

Article 5 establishes blanket prohibitions that apply immediately upon gatekeeper designation. The most significant is Article 5(1)(a), which prohibits the cross-use of personal data collected from one core platform service in other services offered by the gatekeeper. In practical terms, this means Google cannot use data from Gmail to customize Google Pay services to compete with PayPal, and Amazon cannot use marketplace data to improve its streaming video service to compete with Netflix.

Article 5(1)(f) addresses bundling and tying practices, requiring gatekeepers to refrain from mandating that business users or end users subscribe to additional core platform services as a condition for accessing any single service. This prevents practices such as requiring iPhone users to use Apple Pay or requiring an Amazon account to read ebooks on Kindle devices.

Article 6 obligations are more complex and subject to regulatory specification. Article 6(i) establishes data portability requirements, mandating that gatekeepers provide business users with free, effective, high-quality, continuous, and real-time access to aggregated and non-aggregated data generated through the use of core platform services. For personal data, access is limited to data directly connected with end-user use and requires the end user’s opt-in consent.

Article 6(1)(k) requires gatekeepers to offer fair, reasonable, and non-discriminatory (FRAND) general conditions of access for business users to app stores, search engines, and social networking services. This FRAND requirement borrows from telecommunications regulation and represents one of the most practically significant obligations for the relationship between gatekeepers and the businesses that depend on their platforms.

Prohibited Practices and Per Se Rules

The DMA’s approach to prohibited practices represents a significant departure from both European and American competition law traditions. The regulation establishes per se rules — blanket prohibitions that apply regardless of whether the specific practice produces anti-competitive effects in a given case. Under the DMA, designated gatekeepers cannot justify prohibited practices based on economic efficiency, consumer welfare improvement, or technological innovation.

The only accepted justifications for otherwise prohibited conduct are narrowly limited to public morality, public health, or public security (Recital 60). This contrasts sharply with traditional competition law, where companies can defend potentially anti-competitive practices by demonstrating that they produce efficiencies that benefit consumers. The absence of an efficiency defense under the DMA means that practices which genuinely improve the user experience — such as integrating services to reduce friction or cross-referencing data to improve recommendations — may be prohibited even when they demonstrably benefit consumers.

Specific prohibited practices include self-preferencing and self-favoring (where gatekeepers rank their own services above competitors in search results or recommendations), cross-use of personal data between services, tying and bundling of core platform services, and leveraging capabilities from one market into adjacent markets. The practical impact extends beyond designated gatekeepers, as the regulation’s framework may influence how courts interpret traditional competition cases involving non-gatekeeper platforms.

Analysts have warned of a potential chilling effect: if practices are considered harmful when implemented by a non-dominant gatekeeper, competition authorities may a fortiori deem the same practices harmful when implemented by dominant platforms not subject to the DMA. This “trickle down” effect means the DMA’s per se prohibitions could reshape competitive behavior across the entire digital economy, not just among designated gatekeepers. Organizations navigating these regulatory complexities can benefit from interactive regulatory analysis tools.

DMA Enforcement Mechanisms and Penalties

The DMA establishes a complex enforcement architecture that combines centralized oversight by the European Commission with significant enforcement powers for national competition authorities (NCAs). The European Commission, acting primarily through DG COMP (the Directorate-General for Competition), serves as the primary enforcer, supported by the European High-Level Group of Digital Regulators and the Digital Markets Advisory Committee.

The enforcement framework includes several mechanisms for initiating investigations. Three or more EU member states can request the Commission to open an investigation against a potential gatekeeper or to add new obligations. A single member state can request an investigation for alleged systematic non-compliance. The “Friends of an Effective Digital Markets Act” coalition — comprising Germany, France, and the Netherlands — has been particularly vocal in advocating for robust enforcement, including private enforcement rights that would allow firms to sue gatekeepers directly to enforce DMA obligations.

The decentralized enforcement dimension raises significant concerns about regulatory consistency. Under Article 32a(1), NCAs can launch investigations against gatekeepers based on national laws, with their only duty being to inform the Commission. More significantly, Article 32a(3) allows any NCA to adopt interim measures against designated gatekeepers, and Article 32a(6) permits NCAs to directly enforce Articles 5, 6, and 6a on their own initiative within their territory.

This hybrid enforcement model creates the potential for divergent interpretations of DMA obligations across member states. While Article 32b(5) requires national courts to avoid decisions that contradict Commission decisions, the scope for NCA action before Commission involvement is substantial. For gatekeepers, this means navigating not just a single set of regulatory requirements but potentially 27 different enforcement approaches across EU member states.

Regulatory Conflicts: DMA vs GDPR and DSA

One of the most consequential challenges posed by the DMA is its interaction with existing EU legislation, particularly the General Data Protection Regulation (GDPR) and the Digital Services Act (DSA). Gatekeepers face obligations from the DMA plus over 20 existing EU legislative instruments, creating scenarios where compliance with one regulation may conflict directly with compliance with another.

The DMA-GDPR conflict is particularly acute in the area of data portability. Article 6(i) of the DMA requires gatekeepers to provide business users with access to user data when end users provide a one-time general opt-in consent. However, this broad data sharing potentially conflicts with GDPR Article 7(4), which prohibits unnecessary processing of personal data for contract performance, and with the GDPR’s principle of data minimization. Gatekeepers face a genuine dilemma: full compliance with DMA data portability may violate GDPR data protection principles, and vice versa.

Additionally, the DMA’s data portability provisions may conflict with GDPR Article 20 (the right to data portability). The DMA limits portability to data “directly connected” with end-user use, which may be more restrictive than GDPR’s broader portability right. This creates legal uncertainty about which regulation takes precedence and how gatekeepers should resolve conflicts between the two frameworks.

The DMA-DSA conflict manifests most clearly in content moderation scenarios. The Digital Services Act requires platforms to expeditiously remove or disable access to illegal content (Article 5), while the DMA requires fair, reasonable, and non-discriminatory access for business users (Article 6(1)(k)). These obligations can directly conflict: removing an app containing illegal content under the DSA may violate the DMA’s non-discrimination requirement, while maintaining access to comply with the DMA may violate DSA content moderation obligations.

Impact on Big Tech Business Models

The DMA’s obligations and prohibitions strike at the core of how large digital platforms generate value and competitive advantage. Cross-subsidization, data-driven personalization, and integrated service ecosystems — all fundamental to platform business models — face significant constraints under the regulation.

Forced unbundling requirements under Article 5(f) require gatekeepers to separate their core platform services from one another, allowing users and businesses to access individual services independently. For companies like Apple, this means enabling app distribution outside the App Store (sideloading), which raises cybersecurity concerns that the company has repeatedly highlighted. The tension between open access mandates and platform security illustrates a broader challenge: the DMA prioritizes market contestability without fully accounting for the security and quality implications of forced openness.

The prohibition on cross-use of personal data between services disrupts business models that rely on comprehensive user profiles built across multiple services. Google’s ability to use search data, email content, and location history together to deliver more relevant advertising and better services is a key competitive advantage that the DMA constrains. Whether the resulting degradation in service quality offsets the competition benefits intended by the regulation remains an open empirical question.

Compliance costs represent a significant operational burden. Beyond legal and technical implementation costs, gatekeepers must navigate contradictory obligations from the DMA and other regulations, maintain separate data processing systems for different services, and manage compliance monitoring across all EU member states. These costs may ultimately be passed through to business users and consumers, potentially undermining the DMA’s objective of fostering competitive markets that benefit end users.

National Implementation and Decentralized Enforcement

Several EU member states have already developed or are developing national digital competition frameworks that complement or overlap with the DMA. Germany’s Digitalization Act, which entered into force on January 19, 2021 — before the DMA’s finalization — amended the German Act Against Restraints of Competition (GWB) to address digital platform competition issues. Other countries including Belgium, Bulgaria, France, Hungary, and Italy have pursued or are pursuing national legislation in this space.

Article 1(6) of the DMA explicitly permits member states to set new rules and obligations on gatekeepers pertaining to national competition rules, creating potential for regulatory layering where gatekeepers must comply with both EU-level DMA requirements and additional national requirements. This layering adds complexity and cost to compliance programs and raises questions about regulatory coherence across the single market.

The European Competition Network (ECN) issued a joint paper in June 2021 outlining how national competition agencies can strengthen the DMA’s implementation. This institutional support for decentralized enforcement suggests that NCAs will be active participants in DMA oversight, not merely passive observers of Commission-led enforcement. For gatekeepers and business users alike, monitoring both EU-level and national-level enforcement developments is essential for effective compliance planning.

The proportionality of the DMA’s regulatory burden remains a subject of legal and economic debate. The EU’s Principle of Proportionality under Article 5(4) TEU requires that measures be necessary, suitable (least-restrictive means), and proportionate to their objectives. Critics argue that the DMA’s per se prohibitions — which apply regardless of demonstrated harm and allow no efficiency defense — may not satisfy strict proportionality review, particularly given the regulation’s impact on the fundamental freedom to conduct business protected by Article 16 of the EU Charter of Fundamental Rights.

Strategic Implications for Digital Platform Markets

The DMA reshapes the strategic landscape for all participants in Europe’s digital economy. For designated gatekeepers, compliance requires fundamental restructuring of data practices, service architectures, and business user relationships. For non-gatekeeper platforms, the regulation creates both opportunities — through improved access to gatekeeper platforms and data — and risks, as the DMA’s framework may influence how competition authorities assess their own practices.

Business users stand to gain significantly from DMA provisions, particularly data portability requirements, FRAND access conditions, and protections against arbitrary changes to platform terms. Small and medium-sized enterprises that depend on gatekeeper platforms for distribution and customer access may find new leverage in their platform relationships. However, the practical value of these rights depends on effective enforcement, which remains to be tested through real cases.

For the broader European digital economy, the DMA represents a bet that regulatory intervention can foster innovation and competition more effectively than market forces alone. Proponents argue that constraining gatekeeper power will unlock competitive dynamics that benefit consumers and the economy. Critics contend that per se prohibitions without efficiency defenses will generate Type I errors (over-enforcement), prohibiting pro-competitive practices and ultimately harming the consumers the regulation aims to protect.

Looking ahead, the DMA’s influence extends beyond Europe’s borders. As the regulation enters full enforcement, its extraterritorial impact on global platform strategies, its interaction with similar regulatory initiatives in the United States, United Kingdom, and Asia-Pacific, and its real-world effects on competition and innovation will shape the global debate about how to govern digital platforms in the 21st century. Organizations seeking to understand these dynamics can explore our interactive library of regulatory analyses.