The world’s leading digital media and regulatory policy journal

Navigating compliance: gatekeepers’ reporting under the Digital Markets Act

The deadline for compliance with the European Digital Markets Act was reached in March of this year. ALENA BIRRER and NATASCHA JUST examine the response of the six gatekeepers to date

On November 1, 2022, the European Digital Markets Act1 came into force, aiming to promote fair and contestable markets within the digital sector. The DMA constitutes ex ante regulation to address longstanding competitive concerns in digital markets and is a response to the challenges encountered by the European Commission in their competition enforcement efforts, which have been characterised by lengthy proceedings and platforms’ seeming disregard of multiple billion-dollar fines.2 This new regulatory approach marks a shift in enforcement in digital markets, synergising with recent and extensive reforms in national competition laws that tackle abusive platform practices.3 While distinct from competition law, the DMA is rooted in EU competition enforcement principles and additionally shaped by European data protection law,4 highlighting the evolving interconnectedness of regulatory frameworks in digital markets.5 The DMA specifically targets ‘gatekeepers’, i.e. large online platforms controlling access to digital markets and establishes rules of conduct to ensure the openness of important digital services and to prevent unfair conditions vis-à-vis other businesses and end users.

Designation of ‘gatekeepers’ and reporting

Companies qualify as gatekeepers if they significantly impact the internal market, hold a stable market position and provide ‘core platform services’ (CPSs) acting as essential gateways between businesses and users. Companies that meet certain thresholds for turnover, capitalisation and user numbers must notify the Commission but can simultaneously argue against their designation, which the Commission will then decide upon. The Commission can also proactively conduct market investigations to designate gatekeepers and consider additional factors such as economies of scale and scope, network effects or data-driven advantages. In September 2023, the Commission designated six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – along with 22 of their CPSs (see Figure 1).6 Alphabet, with eight designated CPSs, has the highest number of designations, followed by Meta with six, Apple with three, Amazon and Microsoft with two each and ByteDance with one. Apple, ByteDance, and Meta have challenged some CPS designations, but this does not exempt them from complying with the DMA pending a final decision. More designations could follow as the Commission continues to monitor the market.7

Figure 1. Designated gatekeepers and their core platform services (illustration based on the initial designations of the European Commission in September 2023 8).

Once designated, the gatekeepers were given six months to implement the necessary changes and must report annually and in a detailed and transparent manner on their compliance with the over 20 obligations in Articles 5 to 7 of the DMA. In these reports, the gatekeepers must demonstrate that they have taken effective measures to meet the objectives of the DMA as a whole and those of each obligation. The gatekeepers must also not engage in any contractual, technical or other conduct that would undermine or circumvent effective compliance with the DMA obligations. To ensure this, the Commission has engaged with gatekeepers and other stakeholders through various meetings and public workshops. Following the compliance deadline, it held compliance workshops for each gatekeeper to collect feedback on the reported compliance strategies.

Beyond the compliance reports, gatekeepers must separately provide reports on their consumer profiling practices. This is to enhance contestability by increasing transparency in data collection and usage, allowing competitors to distinguish themselves with ‘superior privacy guarantees’9, a probable form of non-price competition.10 Unlike the compliance report, the consumer profiling report must be independently audited and forwarded to the European Data Protection Board (EDPB), underlining the increased efforts of inter-agency cooperation to tackle platform power.11 While the Commission does not verify the reports’ accuracy, it can impose sanctions for incomplete or incorrect descriptions and missed deadlines.

This article offers an overview of the gatekeepers’ responses since the initial release of the compliance and consumer profiling reports on 7 March 2024, and evaluates both their overall compliance and the specific substantive changes they have made. For this, we evaluated the non-confidential summaries of the gatekeepers’ compliance12 and consumer profiling reports13 as well as the recordings from the six compliance workshops.14 Additional insights were gathered from discussions during the policymaking process from media coverage and policy blogs.

Altogether, the analysis reveals considerable variation in the gatekeepers’ approaches to compliance, both in their implemented measures and the format and depth of their reporting. Collectively, they lack the detailed technical and practical information necessary for a confident assessment of their compliance with the DMA. Moreover, the gatekeepers are displaying a somewhat defensive attitude, asserting prior compliance with many provisions and making implementation contingent on several conditions and additional fees. This has led to criticism from stakeholders, prompting the Commission to initiate investigations into some gatekeepers barely a month after the compliance deadline.15 Additionally, the Commission has launched a whistle-blower tool for individuals to help uncover violations of the obligations.16 This challenges the narrative of the DMA’s self-executing nature and signals a shift towards more adversarial enforcement.17 The investigations are expected to conclude within 12 months and could lead to penalties of up to ten per cent of a gatekeeper’s annual turnover. In cases where a gatekeeper consistently fails to comply with the DMA, the Commission also retains the authority to conduct market investigations and impose structural or behavioural remedies.

Substantive compliance

The DMA seeks to ensure fair and contestable digital markets. To this end, it establishes rules addressing key issues in digital platform markets such as the anticompetitive effects of closed digital ecosystems and the exploitation of data-driven advantages.

Countering closed digital ecosystems

Gatekeepers regulated by the DMA wield significant influence over digital ecosystems, establishing ‘walled gardens’ that pose challenges both for existing and new competitors while dissuading user multi-homing and fostering lock-in effects. The DMA intervenes by mandating interoperability and enforcing non-discrimination to bolster user choice and curb the preferential treatment of gatekeepers’ products and services. Several rules apply to all CPSs, while others are designed to address particular problems associated with specific services, often identified in past EU competition cases. Some critics doubt the feasibility of this approach, arguing that the DMA essentially condenses the same narrow aspects of their competition cases into ‘dos and don’ts’, thus failing to tackle overarching power dynamics.18

Operating systems and app stores – enhancing developer independence and user choice

Press conference announcing the Digital Markets Act, 15 December 2020.

Operating systems and app stores serve as prime examples of closed ecosystems, rendering them the primary focus of DMA provisions. Alphabet, Apple and Microsoft, designated gatekeepers of operating systems and app stores, are now required to enable third-party app-store installation and sideloading, granting users and developers an alternative to standard app distribution channels. Additionally, competing app stores must have free access to the same hardware and software features of their operating systems. Alphabet and Microsoft claimed compliance with the requirements, while Apple’s changes to iOS and its App Store were eagerly anticipated due to its persistent protection of its walled garden. Previously, Apple attempted to circumvent compliance by disputing the Commission’s designation of its app store as a single CPS, arguing that it operates five distinct and small enough app stores to evade designation.19 As of March 2024, Apple iOS 17.4 now permits app distribution through alternative app stores and the internet, but with strict conditions due to perceived risks for users and developers, as argued by Apple. These include demonstrating financial stability, adherence to minimum safety requirements, ensuring no copyright infringement or illegal material and a new fee structure for third-party app stores. While gatekeepers can ensure service integrity, these conditions faced criticism for potentially deterring developers from distributing apps outside Apple’s App Store.20 Another potential barrier is the lengthy installation process for third-party app stores, which may be intentionally designed by Apple to discourage their use.21 Accordingly, the Commission has started investigating whether Apple’s compliance solution undermines the rules’ intent.22 Similar restrictions prompted another non-compliance proceeding by the Commission against Apple and Alphabet over their implementation of the DMA’s anti-steering obligations. While Alphabet and Apple allow developers to promote offers outside their app stores and to direct users to external sites to complete transactions, both charge various fees and still limit steering, according to the Commission.23

Another concern that the DMA addresses in relation to operating systems is the lack of user choice stemming from pre-installed software and default settings. To address this, Apple, Microsoft, and Alphabet now give users an active choice to disable or uninstall apps and to set defaults such as web browsers. However, the gatekeepers faced major criticism from stakeholders on the design of these choice screens and the Commission has started investigating whether Apple is preventing users from truly exercising their choice, for example, by not enhancing engagement with all available options.24 Also aiming to improve user choice, the DMA further bans barriers to switching between different apps and services. However, Alphabet, Apple and Microsoft asserted prior compliance without providing further detail.

Intermediation services and search engines – ensuring non-discrimination

Beyond operating systems and app stores, potential conflicts of interest arise from gatekeepers acting as both platform operators and providers of products or services, particularly in relation to intermediation services and search engines. To address this, the DMA introduces several non-discrimination requirements. For example, it prohibits intermediation services such as online marketplaces from applying parity or most favoured nation (MFN) clauses. However, only Alphabet has made minor changes in response, reviewing contracts and implementing new, unspecified procedures, whereas Amazon, Meta and Apple have reported prior compliance. Furthermore, gatekeepers are banned from engaging in self-preferencing regarding the ranking and prominence of their products and services. While Meta and Microsoft only introduced minor changes related to their ad-auction procedures, Alphabet made several adjustments regarding the display of search results. Google Search now provides more links to competing sites, including comparison sites, and has removed some of its own widgets, such as Google Flights. However, according to competitor Yelp, which conducted user behaviour tests on a mock version of the new Google search engine result page, Alphabet’s implementation of these changes is unlikely to significantly increase traffic to third-party sites and might even reinforce Google’s walled garden.25 Additionally, during Alphabet’s compliance workshop, direct suppliers expressed concerns that their competitiveness could be further threatened as vertical search services such as Booking.com or SkyScanner will be featured more prominently. As Caffarra26 notes, such stakeholder feedback may be motivated by a desire to gain a larger share of the gatekeepers’ profits, rather than genuinely wanting to deconcentrate markets. Also here, the Commission has started a non-compliance investigation to review the adequacy of Alphabet’s measures.27 In addition, it is taking investigatory steps to assess whether Amazon Marketplace is engaging in self-preferencing, despite asserting compliance in their report.

Their substantive compliance has been criticised as insufficient as gatekeepers seemingly resort to diverse circumvention strategies

Advertising services – ensuring cost and performance transparency

Closed digital ecosystems and the lack of transparency about how they operate can also make it challenging for advertisers to assess the effectiveness of their campaigns and whether they are subjected to fair conditions. The DMA addresses this by granting advertisers and publishers a right to pricing information and performance measurement tools. All gatekeepers reported that they already provide sufficient information, with only a few implementing additional measures. For example, Meta released new pricing transparency reports and aims to improve accessibility for small and medium businesses, while Amazon added more granularity to its pricing reports and updated how advertising customers can measure the success and impact of their campaigns.

Messaging services – mandating horizontal interoperability

While the previous rules focused on issues related to vertically integrated ecosystems, the DMA also mandates horizontal interoperability for messaging services. In these services incumbent providers often benefit from strong network effects, increasing users’ switching costs and limiting market contestability. Notably, this focus on messaging services was included late in the legislative process, influenced by pressure from the European Parliament and despite scepticism from the Commission.28 Currently, there are two designated messaging services, Meta’s WhatsApp and Facebook Messenger, whereas Apple successfully convinced the Commission not to designate iMessage. They are now required to be interoperable with other messaging services, regarding text messaging, the sharing of images, voice messages, videos and other files, and voice and video calls. Meta must accomplish this within six months to four years depending on these different messaging modalities, allowing it to establish the required technical conditions. In its report, Meta presented its ongoing efforts to enable interoperability between WhatsApp and other messengers. For now, WhatsApp allows users to exchange text-based messages with users on other platforms if the user enables this function in their settings. Regarding Facebook Messenger, Meta received an extension for compliance from the Commission. Although the interoperability solution generally received positive feedback, some critics suggest it might diminish multi-homing, potentially reducing competition.29

Tackling data-driven advantages

A second set of DMA rules aims to prevent gatekeepers from exploiting advantages arising from their ability to collect and access large amounts of data to create barriers to market entry, thus fundamentally challenging the gatekeepers’ data-driven business models.

Inspired by the German Federal Cartel Office’s case against Facebook’s data combination practices,30 gatekeepers can no longer combine or use personal user data across their CPSs and other services for targeted advertising, unless the user gives consent as defined by the General Data Protection Regulation.31 Gatekeepers have offered different solutions to comply. ByteDance argues that the rule doesn’t apply to TikTok because its advertising service is an integral part of it. This interpretation was rejected in the Commission’s initial designation decision32 and was also criticised during the compliance workshop. Apple reported that it will cease all cross-use of personal data but provided no specific details on implementation. Amazon, Alphabet, and Microsoft continue data combination and cross-use with updated consent screens, allowing users to separate their services into distinct data entities. However, the question of what constitutes qualified consent was critically discussed during the workshops, especially as some gatekeepers appear to be nudging users towards consent and restricting certain functionalities if consent is withheld. Some view this as an instance of ‘malicious compliance’, a deliberate effort by gatekeepers to make users resent the new rules.33 Meta faced heightened criticism for its compliance solution, the ‘pay or consent’ model, introduced in November 2023 in response to a requested ban on processing personal data for behavioural advertising by the EDPB.34 This model requires Facebook and Instagram users to either consent to data processing or pay a monthly subscription fee. The Commission initiated a non-compliance proceeding against Meta,35 arguing that this binary choice fails to offer a genuine alternative and does not meet the goal of preventing gatekeepers from collecting large amounts of personal data. Commenting on this, Internal Market Commissioner Breton even argued that the DMA puts a clear requirement on gatekeepers to offer a free, non-personalised alternative,36 despite earlier instances of Commission representatives37 and the CJEU supporting a paid subscription model.38  It will be interesting to see how such interpretative divergence will unfold, especially as the pay or consent model is concurrently under investigation by BEUC – the European Consumer Organization,39 the EDPB40 and the Commission41 under the DMA’s complementary regulation, the Digital Services Act.42

As a second data-related rule, the DMA mandates data portability to reduce users’ switching costs. Extending beyond the data portability requirements in the GDPR and in national competition laws such as in Germany, users must be able to port their data in a continuous and real-time manner and free of charge. While Apple missed the compliance deadline, Alphabet, Amazon, ByteDance and Microsoft reported the implementation of APIs43  allowing third parties to import user-authorised data and strengthened self-service download portals for end users. However, differences exist regarding the ease of usability of these tools, as noted by stakeholders. In addition, the gatekeepers highlighted security and data protection risks, for which they cannot guarantee full protection. Gatekeepers must also provide business users and their authorised third parties with effective, high-quality, continuous and real-time access to their data, but they have made only minimal changes to meet this requirement.

An additional data-access provision applies specifically to search engine providers, who must give competitors access to anonymized ranking, query, click and view data on fair, reasonable and non-discriminatory (FRAND) terms to reduce data-driven advantages. As the only designated search engine provider, Alphabet launched the European Search Dataset Licensing Program for Google Search. This programme allows third-party search engine providers to purchase Google Search data. To counteract the ‘natural tension’ between such data access and safeguarding the privacy of their users, as highlighted by Alphabet in its compliance workshop, providers must meet conditions related to their service, data protection track record, financial viability, connection to state actors and search engine optimisation activities. Whether this approach meets FRAND standards was questioned by stakeholders, and the lack of clarity and experience with FRAND terms in this area may lead to legal disputes.44

Lastly, the DMA restricts the misuse of data from competing businesses, inspired by a previous competition proceeding against Amazon.45 Gatekeepers are prohibited from using non-public data to out-compete their business users. However, the DMA’s impact appears to be limited here, as all gatekeepers deny engaging in such behaviour. Verifying these claims will likely be difficult without additional information from them.

Conclusion

By introducing a comprehensive set of rules aimed at ensuring fair and contestable digital markets, the DMA represents an important tool in the Commission’s effort to address large, powerful platforms. This article has outlined the initial phase of gatekeepers’ compliance efforts, revealing significant variance in their approaches. Their substantive compliance has been criticised as insufficient as gatekeepers seemingly resort to diverse circumvention strategies. Moreover, both gatekeepers and several stakeholders have highlighted that the changes implemented may require compromises and trade-offs concerning security, privacy and user experience.

Furthermore, evaluating the effectiveness of the gatekeepers’ measures may prove challenging due to the lack of implementation specifics and standardisation in compliance reports, despite the Commission’s provision of a comprehensive reporting template.46  Moreover, there may be the need for effective methods and metrics for monitoring compliance. The inconsistent implementation of substantive changes and reporting requirements may also indicate the need for customised compliance criteria tailored to the different business models of gatekeepers. However, this individualised approach would again not sufficiently take account of fundamental issues of power – which has been a general criticism of the DMA.47

Similar issues arise concerning the consumer profiling reports, where gatekeepers generally fall short of providing comprehensive descriptions of their profiling techniques. Instead, they often vaguely outline personalisation methods without adhering to the Commission’s template. Consequently, achieving differentiation based on privacy protection seems unlikely at present.

Ultimately, the success of the DMA depends not only on the willingness of platforms to comply but also on the Commission’s ability to enforce the DMA in the face of resistance. Investigations into several gatekeepers shortly after the submission of the compliance reports indicate the Commission’s readiness to take further action. However, resolving all the details may take years, leaving the effectiveness of the DMA in levelling the digital market playing field uncertain.

Alena Birrer

Alena Birrer is a research and teaching associate in the Media and Internet Governance Division of the Department of Communication and Media Research at the University of Zurich. [email protected]

Natascha Just

Natascha Just is a professor of communication and chair of the Media and Internet Governance Division of the Department of Communication and Media Research at the University of Zurich. [email protected]

1 DMA, Regulation (EU) 2022/1925.

2 European Commission (2024). Commission opens non-compliance investigations against Alphabet, Apple and Meta under the Digital Markets Act. Press release, 25 March. bit.ly/4aVi1af

3 Just N, Birrer A and He D (2023). Concentration and control in times of platformisation. Intermedia, 51(2), Article 2. bit.ly/3VAp6bH

4 Zimmer D and Göhsl J-F (2024). Enforcement of the Digital Markets Act: The European Commission Takes Action. Verfassungsblog, 10 April. bit.ly/3VbbBOo

5 Just N (2022). Which Is to Be Master? Competition Law or Regulation in Platform Markets. International Journal of Communication, 16, 504–524.

6 European Commission (2023). Digital Markets Act: Commission designates six gatekeepers. Press release, 6 September. bit.ly/3XcNdyw

7 In April 2024 the Commission designated iPad iOS as another CPS of Apple, and in May 2024 it recognised Booking.com as a seventh gatekeeper while concurrently opening a market investigation into X.

8 See note 6.

9 DMA, Recital 72.

10 Just N (2018). Governing online platforms: Competition policy in times of platformization. Telecommunications Policy, 42(5), 386–394. bit.ly/3ONDw5l

11 See note 3.

12 Available at digital-markets-act-cases.ec.europa.eu/reports/compliance-reports

13 Available at digital-markets-act-cases.ec.europa.eu/reports/consumer-profiling-reports

14 Available at digital-markets-act.ec.europa.eu/events/workshops_en

15 See note 2.

16 European Commission (2024). Commission launches Whistleblower Tools for Digital Services Act and Digital Markets Act. Press release, 10 April. bit.ly/3KAhksj

17 Auer D (2024). The Future of the DMA: Judge Dredd or Juror 8? Truth on the Market, 8 April. bit.ly/4aWptle

18 Caffarra C (2024). Of Hope, Reality, and the EU Digital Markets Act. Tech Policy Press, 6 May. bit.ly/3VyZX1b

19 Porter J (2024). Apple, Meta, and Google targeted by EU in DMA non-compliance investigations. The Verge, 25 March. bit.ly/4eiM7r1

20 Perez S (2024). Apple revises its DMA rules after pressure, but keeps the Core Technology Fee intact. TechCrunch, 5 March. tcrn.ch/4bU6lG4

21 Booth C (2024). A first look at Europe’s alternative iPhone app stores. The Verge, April 3. bit.ly/3RhCPBR

22 See note 2.

23 See note 2. Additionally, in March 2024 the Commission fined Apple 1.8 billion euros for imposing anti-steering provisions in the distribution of music streaming apps.

24 See note 2.

25 Segal D (2024). Google’s changes do not comply with Digital Markets Act. Yelp - Official Blog, 29 February. bit.ly/3KB5GgP

26 See note 18.

27 See note 2.

28 Herbers B (2023). Artikel 7 (Verpflichtung von Torwächtern zur Interoperabilität nummernunabhängiger interpersoneller Kommunikationsdienste). In R. Podszun (Ed.), Nomos Handkommentar zum Digital Markets Act. Nomos Verlagsgesellschaft.

29 Bourreau M, Kraemer J and Buiten M (2022). Interoperability in Digital Markets. Centre on Regulation in Europe, March. bit.ly/3RqkBxZ

30 Case B6-22/16. See bit.ly/45kj4z7

31 GDPR, Regulation (EU) 2016/679. bit.ly/3KWYGLr

32 European Commission (2023). Case DMA.100040. ByteDance – Online social networking services, 5 September. bit.ly/3KDpMqD

33 Hancock E (2024). ‘Severe pain in the butt’: EU’s digital competition rules make new enemies on the internet. Politico, 25 March. politi.co/3VliCvY

34 European Data Protection Board (2023). EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta, 1 November. bit.ly/4e8OvR4

35 See note 2.

36 European Commission (2024). Remarks by Executive Vice-President Vestager and Commissioner Breton on the opening of non-compliance investigations under the Digital Markets Act, 25 March. bit.ly/4aRufkh

37 Valero J (2018). Vestager: ‘I’d like a Facebook that I pay, with full privacy’. Euractiv, 27 June. bit.ly/3XinJzL

38 Case C-252/21 Facebook. bit.ly/45ros3A

39 BEUC, The European Consumer Organization (2023). Choose to Lose with Meta, 30 November. bit.ly/4chdgsr

40 European Data Protection Board (2024). Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, 17 April. bit.ly/4bR54zC

41 European Commission (2024). Commission sends request for information to Meta under the Digital Services Act. Press release, 1 March. bit.ly/3VkQNUM

42 DSA, Regulation (EU) 2022/2065.

43 Application programming interface, a means of enabling interoperability between software programs and components.

44 Wolf-Posch A (2023). Artikel 6 Abs. 11 (Zugang zu Suchmaschinendaten). In R. Podszun (Ed.). Nomos Handkommentar zum Digital Markets Act. Nomos Verlagsgesellschaft.

45 Case AT.40462.

46 Available at: digital-markets-act.ec.europa.eu/legislation_en#templates

47 See note 18.