Artifact GuideEU

EU Digital Markets Act (DMA) Compliance Guide

A how-to guide for implementing DMA obligations per core platform service (CPS).

Built for practitioners: workstreams, owners, evidence, and monitoring aligned to Commission expectations.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 23, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 23, 2026

Overview

DMA compliance starts with one reality: obligations attach to specific core platform services (CPS) listed in a gatekeeper designation decision, and the gatekeeper must comply with Articles 5-7 within 6 months after listing. This guide shows how to convert the DMA into shipped product changes and an evidence library that supports Article 11 reporting and reduces enforcement risk.

Section 1

Step 1 - Scope your CPS and map obligations per service

Treat CPS scoping as an engineering artifact. Designation decisions list relevant CPS, and obligations attach to each listed CPS.

Build a CPS inventory with boundaries, system maps, and user journeys; then map Articles 5-7 obligations to the surfaces that implement them.

Per CPS: identify ranking/discovery surfaces, default settings, distribution channels, APIs, and cross-service data sharing points.
Create an obligation-to-feature map for Articles 5-7 with owners and acceptance criteria per obligation.
Identify obligations that require "integrity/security" restrictions and prepare necessity + proportionality justification.

Section 2

Step 2 - Build the 0-6 month delivery plan (designation -> compliance deadline)

After a CPS is listed in the designation decision, the gatekeeper must comply with Articles 5, 6, and 7 within 6 months.

Break the 6 months into release milestones that ship functionality and evidence in parallel.

Month 0-1: finalise scope, implement consent/data combination controls (Article 5(2)), and design choice screens/default changes (Article 6(3)).
Month 1-3: implement app distribution and third-party app store enablement (Article 6(4)), ranking governance changes (Article 6(5)), and portability/data access tooling (Article 6(9)-(10)).
Month 3-6: harden monitoring, publish required terms/access conditions, validate interoperability and API access parity (Article 6(7)), and complete evidence pack for reporting.

Recommended next step

Turn EU Digital Markets Act (DMA) Compliance Guide into an operational assessment

Assessment Autopilot can take EU Digital Markets Act (DMA) Compliance Guide from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU Digital Markets Act (DMA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Digital Markets Act (DMA) Compliance Guide

Start from EU Digital Markets Act (DMA) Compliance Guide and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Digital Markets Act (DMA)

Review your current process, evidence gaps, and next steps for EU Digital Markets Act (DMA) Compliance Guide.

Explore next step

Section 3

Step 3 - Implement Article 5 obligations (data, anti-steering, and tying bans)

Article 5 contains high-impact requirements that often require product and commercial changes.

Implement these with concrete controls: permissions gates, policy changes, logging, and tests.

Consent and data combination: do not combine/cross-use personal data across CPS and other services unless end users have specific choice and consent; do not re-request more than once per year if refused/withdrawn.
Anti-steering: allow business users to offer different prices/conditions elsewhere; allow business users to communicate/promote offers and conclude contracts with end users acquired via the CPS.
No forced use of gatekeeper services: do not require gatekeeper identity, browser engine, payment services, or in-app payment technical services for business users' services.
Ads transparency: implement daily reporting for advertisers and publishers on prices/fees/remuneration and metric basis.

Section 4

Step 4 - Implement Article 6 obligations (choice, distribution, fairness, access)

Article 6 obligations often require deep engineering work: uninstallability, default settings and choice screens, third-party app distribution, ranking neutrality, and continuous data access.

Design for measurement and auditability because Article 6 obligations can be further specified under Article 8.

Enable uninstall and default changes; prompt end users at first use to choose search/assistant/browser providers where applicable.
Allow third-party apps and app stores using/interoperating with the OS, including access outside the gatekeeper CPS, subject to strictly necessary and proportionate integrity/security measures.
No self-preferencing in ranking/indexing/crawling; apply transparent, fair, non-discriminatory ranking conditions and implement ranking governance + parity tests.
Provide end-user data portability tools and continuous/real-time access; provide business-user continuous/real-time access to aggregated and non-aggregated data generated via CPS use (personal data with opt-in consent).

Section 5

Step 5 - Implement Article 7 (if applicable): staged messaging interoperability

If you operate a designated number-independent interpersonal communications service (NICS), Article 7 introduces staged interoperability obligations relative to designation.

Treat this as a multi-year engineering program with security assurance and operational SLAs for requests.

After listing: 1:1 text messaging and 1:1 file sharing interoperability (where offered).
Within 2 years: group messaging interoperability and group-to-individual file sharing interoperability.
Within 4 years: voice and video call interoperability (1:1 and group-to-individual).
Publish a reference offer within the 6-month period and comply with reasonable interoperability requests within 3 months.

Section 6

Step 6 - Governance and evidence: Article 28 compliance function + Article 11 reporting

DMA requires an independent compliance function (Article 28). This is your "compliance engine" that maintains the program through product change.

The Commission's Article 11 compliance report template clarifies what evidence you must be able to produce per CPS and per obligation.

Stand up the compliance function with direct reporting to the management body, sufficient resources, and clear task ownership.
Build an evidence library per CPS and per obligation: prior state, implementation date, scope, engineering changes, UX changes, and effectiveness metrics.
Keep underlying raw data ready and export evidence in machine-readable formats where possible.

Primary sources