ChecklistEU DMA

EU Digital Markets Act Gatekeeper checklist

Use this checklist to test whether DMA work is anchored to a designated gatekeeper, a listed core platform service, and the specific Article 5, 6 or 7 obligation being implemented.

The checks focus on scope, interoperability, data access, self-preferencing, Article 11 reporting, anti-circumvention, evidence, and governance records.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

The Digital Markets Act checklist should start with the designation decision and the relevant core platform service, not a generic platform policy. A control is ready for review only when it identifies the gatekeeper, the listed core platform service, the Article 5, 6 or 7 obligation, the implemented measure, and the evidence that demonstrates effective compliance. Timings in this page are source-linked; verify current legal source language before implementation decisions.

Section 1

1. Confirm gatekeeper and core platform service scope

Apply DMA obligation checks only to the core platform services listed for a designated gatekeeper. Article 3 requires the Commission designation decision to list the relevant core platform services, and Article 3(10) ties the compliance obligation to those listed services.

For internal triage, separate three questions: whether the undertaking is or may be a gatekeeper, which core platform service is listed or under assessment, and which product features or business user flows sit inside that service.

Record the gatekeeper name and the exact core platform service from the Commission designation or gatekeepers page.
Check whether the service category is a DMA core platform service, such as an online intermediation service, online search engine, online social networking service, video-sharing platform service, number-independent interpersonal communications service, operating system, web browser, virtual assistant, cloud computing service, or online advertising service.
If relying on the Article 3 quantitative presumption, keep evidence for Union turnover or market value, Member State presence, monthly active end users in the Union, yearly active business users in the Union, and the three-financial-year durability test.
Treat designation and scope as service-specific: a company may be designated for some core platform services and not for every product it operates.
Open a reassessment when there is a substantial change in the facts behind designation, a new listed service, a concentration involving digital services or data collection, or a Commission review of gatekeeper status.

Sources for this answer

Regulation (EU) 2022/1925 (Digital Markets Act)

Article 3 defines gatekeeper designation, quantitative presumptions, notification duties, listed core platform services, and the six-month compliance point for listed services.

European Commission - DMA gatekeepers page

Commission page identifying designated gatekeepers and their listed core platform services.

Section 2

2. Check Article 5 obligations that apply without further specification

Article 5 controls should be tested at the level of the relevant core platform service and the affected user flow. The checklist should show whether the gatekeeper has stopped the prohibited conduct or enabled the required access, communication, pricing, complaint, and advertising transparency rights.

Do not close an Article 5 item with a policy statement alone. Keep product screenshots, terms, API behavior, consent records, ad reporting samples, or business user communications that prove the measure works in practice.

Personal data combination and cross-use: verify that advertising use, data combination, cross-use, and cross-service sign-in for data combination are blocked unless the required GDPR consent choice is captured, and that refused or withdrawn consent is not requested again for the same purpose more than once in a year.
Anti-steering and business user communication: confirm business users can offer different prices or conditions through third-party channels or direct sales channels, promote offers to acquired end users free of charge, and conclude contracts outside the gatekeeper service.
Access to acquired content: confirm end users can access subscriptions, features, content, or other items through a business user app even if acquired outside the gatekeeper core platform service.
Complaint rights: confirm contracts, support flows, and account controls do not directly or indirectly restrict business users or end users from raising non-compliance issues with public authorities or courts.
Tying and registration checks: confirm business users and end users are not required to use the gatekeeper's identification service, browser engine, payment service, payment technical services, or additional core platform services as a condition of using the listed service.
Advertising transparency: for online advertising services, test whether advertisers and publishers can receive daily, free-of-charge information on prices, fees, remuneration, deductions, surcharges, and calculation metrics where Article 5(9) or 5(10) applies.

Sources for this answer

Regulation (EU) 2022/1925 (Digital Markets Act)

Article 5 lists directly applicable gatekeeper obligations for data combination, anti-steering, complaint rights, tying, registration, and advertising transparency.

Section 3

3. Check Article 6 obligations for product, data, ranking, access, and portability

Article 6 obligations often require engineering, product, marketplace, advertising, search, and data teams to produce evidence together. The record should connect the legal obligation to the affected interface, ranking system, data pipeline, API, default setting, access condition, or termination condition.

Where a gatekeeper uses security, integrity, privacy, or operating-system protection as a reason for a limitation, keep the justification and show why the measure is strictly necessary and proportionate.

Business user data firewall: confirm the gatekeeper does not use non-public data generated or provided by business users, including their customers' activity data, to compete with those business users.
Uninstall and defaults: test that end users can easily uninstall non-essential apps and change default settings for operating systems, virtual assistants, and web browsers that steer users to gatekeeper products or services.
Third-party apps and stores: verify installation, effective use, alternative access, and default-setting options for third-party apps or app stores, subject only to justified, strictly necessary and proportionate integrity or security measures.
Self-preferencing: test ranking, indexing, and crawling so the gatekeeper's own services or products are not treated more favourably than similar third-party services or products, and keep the ranking methodology and monitoring evidence.
Switching and interoperability: confirm there are no technical or other restrictions on switching between, or subscribing to, different apps and services accessed through the core platform service.
Advertising measurement: confirm advertisers, publishers, and their authorised third parties can access performance measurement tools and the data needed for independent verification.
End user data portability: test free, effective portability for data provided by or generated through end user activity, including continuous and real-time access where required.
Business user data access: verify free, high-quality, continuous and real-time access to aggregated and non-aggregated data generated in the relevant core platform service context, with personal data shared only where directly connected to the end user's use of the business user's offering and supported by opt-in consent.
Search data access: for online search engines, verify fair, reasonable and non-discriminatory access for third-party search engines to ranking, query, click and view data, with personal data anonymised.
Access terms and termination: check fair, reasonable and non-discriminatory access conditions for app stores, online search engines, and online social networking services, and confirm termination terms are not disproportionate or unduly difficult to exercise.

Sources for this answer

Regulation (EU) 2022/1925 (Digital Markets Act)

Article 6 supports the checklist items for business-user data use, uninstall and default settings, third-party apps and stores, self-preferencing, switching, interoperability, ad measurement, data portability, business-user data access, search data, access terms, and termination.

European Commission - DMA resources for businesses

Commission resource page for business-facing DMA materials, including interoperability, data portability, and data access resources.

Section 4

4. Check Article 7 communications interoperability

Article 7 applies where the designated core platform service is a number-independent interpersonal communications service. The checklist should distinguish Article 7 communications interoperability from Article 6(7) operating-system, hardware, software, or virtual-assistant interoperability.

The compliance record should cover the reference offer, requester intake, technical interfaces or equivalent solutions, security preservation, personal-data minimisation, and the timing for making requested functionalities operational.

Confirm whether the designated service is a number-independent interpersonal communications service and whether the requested basic functionality is provided to the gatekeeper's own end users.
Verify that interoperability is available upon request and free of charge through necessary technical interfaces or similar solutions.
Check the Article 7 functionality sequence: one-to-one text and file sharing after listing, group text and group file sharing within two years from designation, and voice and video calling functions within four years from designation.
Confirm the reference offer publishes technical details, general terms, and security details, including end-to-end encryption where applicable.
Track each third-party provider request, whether it is reasonable, which functionalities it covers, and whether requested basic functionalities are made operational within three months after receipt.
Keep evidence that the gatekeeper preserves its own level of security, collects and exchanges only personal data strictly necessary for interoperability, and justifies any integrity, security, or privacy measures as strictly necessary and proportionate.

Sources for this answer

Regulation (EU) 2022/1925 (Digital Markets Act)

Article 7 defines interoperability obligations for number-independent interpersonal communications services, including reference offers, request handling, functionality timing, security, and data minimisation.

European Commission - DMA interoperability questions and answers

Commission Q&A illustrates DMA interoperability specification work and requester process expectations under the DMA.

Section 5

5. Build the Article 11 compliance report evidence pack

Article 11 requires a detailed and transparent report on measures implemented to ensure compliance with Articles 5, 6 and 7, plus a non-confidential summary. The Commission template expects the report to be organised by each listed core platform service and each applicable obligation.

Use the template as an evidence checklist even before the reporting deadline: it shows the level of specificity needed to demonstrate effective compliance under Article 8(1).

For each listed core platform service and applicable Article 5, 6 or 7 obligation, include a compliance statement, the implemented measure, and whether it existed before designation or was implemented after designation.
Describe the prior situation, implementation date, product, service or device scope, geographic scope, technical or engineering changes, and customer experience changes.
Keep proof for changes to data flows, internal data use policies, security measures, metrics, APIs, operating-system functions, ranking parameters, ad auctions, choice screens, consent forms, warnings, system updates, and user journeys.
Document fee, revenue-share, remuneration-flow, terms-and-conditions, privacy-policy, access-condition, and interoperability-condition changes where relevant.
Record consultation with end users, business users or interested parties, external consultant involvement, alternatives assessed, user communications, feedback, testing, surveys, consent rates, and impact monitoring.
Prepare the compliance report, annexes, non-confidential summary, and underlying data in machine-readable form with searchable and recognisable text, and keep raw data ready for Commission requests.
Highlight differences from any previous report and disclose any retention policy for responsive documents without undue delay.

Sources for this answer

Regulation (EU) 2022/1925 (Digital Markets Act)

Article 11 requires the compliance report, non-confidential summary, annual updates, and publication link for the summary.

European Commission - Article 11 DMA compliance report template

Commission template specifies minimum information for each core platform service and each applicable Article 5 to 7 obligation.

Section 6

6. Test anti-circumvention, governance, and reopening triggers

A DMA checklist should fail any control that works on paper but is undermined by technical design, contract terms, commercial incentives, degraded service quality, non-neutral choices, or interface design. Article 13 makes anti-circumvention a separate governance check.

Governance evidence should show who owns the service scope, legal interpretation, product change, engineering implementation, data access, business-user communication, reporting, and retained proof.

Check that services are not segmented, divided, subdivided, fragmented, or split through contractual, commercial, technical, or other means to avoid Article 3 quantitative thresholds.
Review whether any contractual, commercial, technical, behavioural, or interface-design practice undermines effective compliance with Articles 5, 6 or 7.
Confirm consent flows needed for DMA compliance are not more burdensome for business users than for the gatekeeper's own services.
Test whether users or business users who exercise DMA rights face degraded service conditions or quality, undue difficulty, non-neutral choice presentation, or subverted autonomy through interface design.
Assign accountable owners for each listed core platform service, obligation, implementation measure, evidence store, report annex, non-confidential-summary entry, requester intake process, and escalation to counsel.
Reopen the checklist after product releases, ranking changes, ad auction changes, access-term changes, API or data-pipeline changes, interoperability requests, new consent flows, acquisitions involving digital services or data collection, Commission specification discussions, or Article 11 report updates.

Sources for this answer

Regulation (EU) 2022/1925 (Digital Markets Act)

Article 13 supports anti-circumvention checks for service fragmentation, technical or contractual undermining of compliance, burdensome consent, degraded conditions, non-neutral choices, and interface design.

European Commission - DMA legislation page

Commission legislation page links the DMA text, procedural regulation, notices, guidelines, and official templates used for compliance governance.

Recommended next step

Review DMA controls by gatekeeper, core platform service, and obligation

Use the cited sources listed here to verify obligations and the supporting evidence requirements.

Research workflow

Open Research Copilot for DMA questions

Verify the following areas from the cited sources: DMA scope, Articles 5 to 7 obligations, Article 11 reporting, interoperability, data access, and anti-circumvention using the cited sources on this page.

Explore next step

Talk to Sorena

Discuss DMA implementation

Review gatekeeper scope, core platform service coverage, control evidence, and report inputs for Digital Markets Act work.

Explore next step

Primary sources