DMA
Digital Markets Act — EU Regulation (EU) 2022/1925
Standard Introduction
The Digital Markets Act (DMA) is a landmark European Union regulation that came into full effect in March 2024. It aims to ensure fair and open digital markets by imposing specific obligations on large technology platforms designated as 'gatekeepers.' The DMA addresses anti-competitive practices in the digital sector, particularly concerning app stores, search engines, social media platforms, and operating systems. Companies with significant market power must allow interoperability, enable users to choose alternative services, and refrain from self-preferencing their own services over competitors. The regulation specifically requires gatekeepers like Apple to allow sideloading of apps and alternative app marketplaces, fundamentally changing how users can access and install software on their devices.
The DMA designates gatekeepers based on criteria including: providing core platform services to over 45 million monthly active EU users and over 10,000 yearly active business users, having an annual EEA turnover of at least €7.5 billion in the last three financial years or a market capitalization of at least €75 billion, and operating in at least three EU member states. Designated gatekeepers include Apple, Alphabet (Google), Meta, Amazon, Microsoft, and ByteDance (TikTok). These companies must comply with obligations such as allowing third-party app stores, enabling interoperability with competitors, providing business users with access to their own data, and not pre-installing certain apps. The European Commission can impose fines up to 10% of global turnover for non-compliance, with repeated infringements potentially reaching 20% of global turnover. Several investigations into potential non-compliance have already been initiated, particularly concerning Apple's implementation of the DMA requirements.
Gatekeeper Designation
The European Commission designates large platforms as "gatekeepers" based on turnover, market cap, and user thresholds — currently 7 companies are designated.
Interoperability Mandates
Gatekeepers must allow third-party interoperability, sideloading of apps, and access to core platform services on fair terms.
Self-Preferencing Ban
Prohibits gatekeepers from ranking their own products/services more favorably than those of third-party competitors on their platforms.
list_alt Key Obligations
- Allow users to uninstall pre-installed apps
- Enable third-party app stores and sideloading
- Prohibit self-preferencing in rankings
- Allow switching default apps (browser, search, etc.)
- Provide data portability for end users and businesses
- Refrain from tracking users across services without consent
- Share advertising performance data with publishers
- Allow interoperability with messaging services
Who Needs to Comply?
Primarily targets large digital platforms designated as "gatekeepers" by the European Commission — currently Alphabet (Google), Amazon, Apple, ByteDance, Meta, and Microsoft. Also affects businesses operating on these platforms.
Key Requirements
Gatekeeper Compliance Reports
Designated gatekeepers must submit detailed compliance reports to the European Commission describing how they meet each obligation for every designated core platform service.
Data Sharing & Portability
Provide business users with access to performance and audience data generated on the platform. Allow end users to port their data freely.
Fair App Store Practices
Allow developers to use alternative payment systems, link to external offers, and distribute apps through third-party stores without unreasonable restrictions.
Anti-Circumvention
Gatekeepers must not engage in any behavior that undermines the obligations, regardless of whether the behavior is contractual, commercial, technical, or otherwise.
Implementation Roadmap
Prepare scope, ownership and obligations
Define the gatekeeper platform compliance program scope across designated core platform services, business users, end users, ranking, data use, interoperability, app stores, advertising, consent, reporting, and Commission engagement. Assign accountable owners, identify applicable legal, customer, certification, or regulatory drivers, and agree how evidence will be governed.
Gap analysis and risk prioritisation
Assess current practices against EU Digital Markets Act expectations and risk context. Review gatekeeper designation, Article 5 and 6 obligations, self-preferencing controls, data combination consent, business-user access, interoperability, anti-circumvention, compliance reports, profiling audits, and remediation of Commission findings, then prioritize gaps by legal exposure, safety or consumer impact, customer impact, operational dependency, and review readiness.
Implement controls, records and reporting
Deploy required controls, operating processes, documentation, supplier or partner workflows, testing, reporting, and escalation paths. Build traceable evidence around designation analyses, obligation maps, product control records, consent flows, business-user documentation, interoperability evidence, compliance reports, audit reports, incident or complaint logs, and Commission correspondence.
Review, audit and keep current
Complete readiness reviews, internal checks, and corrective actions before the European Commission review or independent audit. Refresh the program after product, service, supplier, technology, legal, market, incident, or regulator changes.
Compliance Checklist
checklist Scope and accountability
checklist Controls and evidence
checklist Monitoring and improvement
Penalties & Enforcement
Fines up to 10% of worldwide annual turnover, rising to 20% for repeated infringements. The Commission can also impose periodic penalty payments of up to 5% of daily turnover and order structural remedies including divestitures.
Frequently Asked Questions
Who needs EU Digital Markets Act?
expand_more
EU Digital Markets Act is relevant for organizations whose products, services, systems, or regulated activities fall within designated core platform services, business users, end users, ranking, data use, interoperability, app stores, advertising, consent, reporting, and Commission engagement. It is commonly driven by regulation, customers, certification, market access, or assurance needs.
What is the main purpose of EU Digital Markets Act?
expand_more
The practical purpose is to create a repeatable program for gatekeeper designation, Article 5 and 6 obligations, self-preferencing controls, data combination consent, business-user access, interoperability, anti-circumvention, compliance reports, profiling audits, and remediation of Commission findings. The program should make obligations visible, define accountable owners, operate controls, and keep evidence current.
What should be done first?
expand_more
Start by confirming scope, ownership, and applicable obligations. This prevents teams from building documents or controls that do not match the actual product, service, system, or regulated activity.
How long does implementation take?
expand_more
A focused implementation can take several weeks or months. Timing depends on maturity, number of sites or systems, supplier involvement, technical complexity, testing needs, and external review depth.
What evidence is most useful?
expand_more
Useful evidence includes designation analyses, obligation maps, product control records, consent flows, business-user documentation, interoperability evidence, compliance reports, audit reports, incident or complaint logs, and Commission correspondence. Reviewers usually expect traceable evidence that connects obligations to decisions, controls, tests, reports, and corrective actions.
How should suppliers or partners be managed?
expand_more
Supplier and partner duties should be documented through contracts, onboarding requirements, data or evidence requests, performance monitoring, and escalation routes for findings, incidents, or changes.
When should the program be updated?
expand_more
Update the program after legal changes, product or service changes, supplier changes, new markets, incidents, complaints, regulator feedback, or audit findings. Stale evidence is a common compliance failure.
Can this be integrated with other programs?
expand_more
Yes. EU Digital Markets Act can usually share governance, document control, training, supplier management, issue tracking, risk management, internal review, and corrective-action workflows with adjacent compliance programs.
Official Documentation
DMA Official Text (EU) 2022/1925
PDF • 2.1 MB • All EU Languages • Regulation
EUR-Lex Official Portal
External Link • eur-lex.europa.eu • Official EU Law
DMA Compliance Toolkit
ZIP • 15 MB • Gatekeeper Assessment & Compliance Guides