EU Digital Markets Act Compliance

A DMA control should be opened only after the team can name the designated undertaking, the listed core platform service, and the business-user or end-user journey affected by the control. The legal text defines core platform services to include online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services provided by an undertaking that provides one of those services.

The designation analysis also matters after designation. Article 3 uses quantitative presumptions for turnover or market value, Union user reach, and durable position, but the Commission can designate under a qualitative assessment as well. The compliance record should therefore separate designation metrics from service-level obligation evidence.

Articles 5, 6 and 7 are the compliance backbone. Article 5 contains direct obligations such as limits on combining or cross-using personal data without consent, anti-steering restrictions, communication and contracting rights for business users, access for end users to externally acquired content, complaint freedom, tying restrictions for identification, browser engine and payment services, and advertising transparency for advertisers and publishers.

Article 6 adds obligations that may be further specified by the Commission. The operational controls typically touch non-public business-user data, uninstall and default-choice flows, third-party app stores and software installation, ranking fairness, switching, interoperability with operating system or virtual assistant features, ad measurement access, end-user data portability, business-user data access, search-data access, FRAND access conditions, and termination terms.

Article 7 is narrower but technically demanding. It applies where a gatekeeper provides a listed number-independent interpersonal communications service and requires requested interoperability for specified basic functionalities while preserving security, including end-to-end encryption where applicable.

Article 11 requires a gatekeeper to provide the Commission, within six months after designation, with a detailed and transparent report describing the measures implemented to ensure compliance with Articles 5, 6 and 7, plus a non-confidential summary. The report and summary must be updated at least annually.

The Commission template makes the evidence burden practical. For each listed core platform service and applicable obligation, it asks for a compliance statement, an exhaustive explanation of measures, supporting data and internal documents, pre-designation or post-designation status, implementation timing, product and geographic scope, technical or engineering changes, customer-journey changes, terms and remuneration changes, consultation, alternative measures considered, testing, indicators, monitoring tools, and access procedures for third parties.

A request for specification dialogue does not remove the reporting obligation for the obligations covered by that request. Teams should therefore keep the Article 11 evidence file current even when they are also discussing specifications with the Commission.

Article 13 turns weak implementation into enforcement risk. It prohibits segmenting or splitting core platform services to avoid designation thresholds, requires full and effective compliance with Articles 5, 6 and 7, and bars contractual, commercial, technical, behavioural, or interface-design behaviour that undermines those obligations.

The practical test is whether the implementation preserves the right in substance. A compliant-looking flow can still be risky if it degrades service quality for users who exercise DMA rights, makes choices unduly difficult, uses non-neutral interface design, burdens business users more than the gatekeeper's own services, or relies on security, privacy or integrity restrictions that are broader than necessary.

Interoperability is not only a legal interpretation issue. Article 6(7) requires free and effective interoperability with operating system, hardware or software features accessed or controlled through a listed operating system or virtual assistant, subject to strictly necessary and proportionate integrity safeguards. Article 7 requires interoperability for listed number-independent interpersonal communications services upon request.

Commission interoperability materials show the kind of evidence expected in practice: request intake, developer-facing guidance, expected timelines, assessment criteria, feedback on proposed solutions, rejection reasoning, independent review, dispute resolution, request tracking, protection of non-public requester information, and public reporting metrics for interoperability requests.

The Commission can adopt non-compliance decisions, require the gatekeeper to cease and desist, and impose fines for intentional or negligent failures to comply with Articles 5, 6 or 7, Commission-specified measures, systematic non-compliance remedies, interim measures, or binding commitments. The DMA also allows periodic penalty payments to compel compliance with specified measures, remedies, information requests, inspections, interim measures, commitments, and non-compliance decisions.

The compliance function should therefore keep management reports, risk assessments, decisions, replies from the management body, monitoring outputs, and remediation status together with the Article 11 evidence. A product team cannot close a DMA control merely by showing that a feature shipped; it must show that the measure is effective for the relevant obligation and that risks of non-compliance were escalated and addressed.