Artifact GuideEU

EU Digital Markets Act (DMA) Compliance Checklist

A checklist you can run per core platform service (CPS) and ship against.

Designed for the 6-month compliance clock and Article 11 reporting evidence.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 23, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 23, 2026

Overview

DMA compliance is a program, not a document. Use this checklist to turn the EU Digital Markets Act (DMA) into shipped product changes, monitored controls, and an evidence library that supports Article 11 compliance reporting and reduces enforcement risk.

Section 1

Checklist Part A - Scope and designation readiness (Article 2-3)

Run this part first. Everything else depends on correct CPS boundaries and correct designation timing per CPS.

Treat CPS scoping as an engineering artifact: if you can't draw boundaries, you can't implement obligations consistently.

Inventory CPS categories you provide (Article 2): intermediation, search, social networking, video-sharing, NICS, OS, browser, virtual assistant, cloud computing, and ads services linked to those CPS.
For each CPS: define boundaries, key user journeys, ranking surfaces, data-sharing points, developer APIs, and ads stack dependencies.
Run the gatekeeper presumption thresholds per CPS (Article 3(2)) and set internal "threshold met" trigger dates for the 2-month notification clock (Article 3(3)).
Build a designation readiness pack: metrics methodology, Member State coverage, and a defensible CPS listing proposal.

Recommended next step

Turn EU Digital Markets Act (DMA) Compliance Checklist into an operational assessment

Assessment Autopilot can take EU Digital Markets Act (DMA) Compliance Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU Digital Markets Act (DMA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Digital Markets Act (DMA) Compliance Checklist

Start from EU Digital Markets Act (DMA) Compliance Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Digital Markets Act (DMA)

Review your current process, evidence gaps, and next steps for EU Digital Markets Act (DMA) Compliance Checklist.

Explore next step

Section 2

Checklist Part B - The 6-month compliance clock (Articles 5-7)

Once a CPS is listed in a designation decision, the gatekeeper must comply with Articles 5, 6, and 7 within 6 months.

Treat this as a release-train schedule: each obligation becomes deliverables + evidence capture milestones.

Create an obligation-to-feature map per CPS for Articles 5-7 with owners and acceptance criteria.
Prioritise high-impact obligations: consent/data combination (Article 5(2)), anti-steering (Article 5(3)-(4)), app distribution/defaults (Article 6(3)-(4)), ranking neutrality (Article 6(5)), OS feature interoperability (Article 6(7)), and portability/data access (Article 6(9)-(10)).
Define monitoring checks and regression tests before rollout (choice screen tests, uninstall flows, API access parity tests, ranking parity tests).
Plan for staged obligations: Article 7 interoperability timelines (0 / 2 years / 4 years) where applicable.

Section 3

Checklist Part C - Governance: compliance function + change control (Article 28)

DMA requires gatekeepers to introduce an independent compliance function and management accountability for compliance governance.

Governance prevents "compliance drift" when ranking parameters, UX, or access rules change.

Establish the DMA compliance function independent from operations; appoint a head of compliance with direct reporting to the management body.
Set a DMA change control gate for CPS changes (launch reviews, A/B experiments, ranking changes, policy changes).
Create an exceptions register (integrity/security restrictions) with necessity + proportionality justification and test evidence.

Section 4

Checklist Part D - Evidence library and Article 11 compliance reporting

The Commission's Article 11 compliance report template is your evidence blueprint. Build the evidence library as you implement so reporting isn't a scramble.

For each obligation, capture both what changed and how it achieves effective compliance, backed by data and documentation.

Per CPS and per obligation: compliance statement, exhaustive explanation, prior state, implementation date, scope (products/devices), geographic scope, and engineering/UX changes.
Attach supporting data and internal documents (including recorded demos where relevant).
Keep underlying raw data ready for Commission requests; store evidence in machine-readable formats where possible.

Section 5

Checklist Part E - Stakeholder and enforcement readiness

DMA programs are stress-tested via stakeholder expectations: business users, developers, competitors, and end users.

Prepare for information requests and enforcement-style questions by making evidence retrieval fast and repeatable.

Set up a single intake for DMA-related complaints and developer requests; tag by CPS + obligation + remediation owner.
Rehearse "Commission-style" requests: produce logs, data, and testing evidence quickly (days, not weeks).
Monitor Commission resources and Q&A updates that shape expectations (interoperability specifications and guidance).

Primary sources