Artifact GuideEU

EU Digital Markets Act (DMA) Compliance Program & Monitoring

Design a DMA compliance function, evidence library, and monitoring layer that scales across CPS.

Aligned to Articles 5-7 obligations and the Commission's Article 11 compliance report expectations.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 23, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 23, 2026

Overview

DMA compliance fails most often where governance is vague: unclear owners, missing evidence, and "one-off" product changes that drift over time. The DMA explicitly requires a compliance function (Article 28) and expects transparent, detailed reporting on measures for Articles 5-7. This guide shows how to build a DMA compliance program that stays correct as products evolve.

Section 1

Start with the DMA operating model: CPS-by-CPS compliance ownership

DMA obligations attach to each core platform service (CPS) listed in the designation decision. Your compliance program should mirror that structure.

Use a "CPS control plane" approach: one governance model, replicated per CPS, with shared evidence standards and monitoring patterns.

Create CPS owners: one product owner + one policy/legal owner per CPS.
Create obligation owners: data combination/consent, ranking and self-preferencing, app distribution and defaults, interoperability and APIs, ads transparency and measurement.
Maintain a single evidence standard across CPS (naming, retention, versioning, and exportability).

Recommended next step

Turn EU Digital Markets Act (DMA) Compliance Program & Monitoring into an operational assessment

Assessment Autopilot can take EU Digital Markets Act (DMA) Compliance Program & Monitoring from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU Digital Markets Act (DMA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Digital Markets Act (DMA) Compliance Program & Monitoring

Start from EU Digital Markets Act (DMA) Compliance Program & Monitoring and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Digital Markets Act (DMA)

Review your current process, evidence gaps, and next steps for EU Digital Markets Act (DMA) Compliance Program & Monitoring.

Explore next step

Section 2

Article 28 compliance function: what "independent" means in practice

The DMA requires gatekeepers to introduce a compliance function independent from operational functions, composed of one or more compliance officers (including a head of compliance).

The compliance function must have sufficient authority, stature, resources, and access to the management body to monitor compliance.

Reporting line: head of compliance reports directly to the management body and can raise concerns and warn of non-compliance risks.
Independence controls: separation of responsibilities, conflict-of-interest prevention, and protected removal conditions (head not removed without management approval).
Task list: organise/monitor/supervise DMA measures, advise employees, monitor binding commitments where relevant, and cooperate with the Commission.

Section 3

Article 11 compliance reporting: build the evidence library before you need it

The Commission's Article 11 compliance report template is effectively a checklist for evidence. It expects a compliance statement and an exhaustive explanation per CPS and per applicable obligation (Articles 5-7).

A good evidence library is engineering-grade: it includes both "what changed" and "why it is compliant", backed by data and internal documentation.

For each obligation: record prior state, implementation date, product/service/device scope, geographic scope, and the technical/engineering changes made.
Include supporting artifacts: data points, visual illustrations, recorded demos, API documentation, ranking parameter explanations, and security integrity justifications.
Store underlying raw data ready for Commission requests; keep the report, annexes, non-confidential summary, and exports machine-readable where possible.
Track retention policy explicitly because the Article 11 template expects gatekeepers to disclose document-retention treatment without undue delay.

Section 4

Monitoring layer: make compliance measurable and continuously testable

DMA compliance is dynamic: ranking changes, consent screens drift, defaults regress, and APIs evolve. Monitoring is how you prevent "compliance decay."

Design monitoring so a regulator question can be answered with: evidence -> metric -> control -> owner.

Control monitoring: automated checks for default-setting prompts, uninstall flows, app-store access rules, ranking neutrality tests, and data-sharing permission gates.
Change control: DMA review gates in product launch processes for CPS changes, A/B experiments, and policy updates.
KPI dashboards: track portability request volumes, interoperability request SLAs, consent refusal rates, ranking fairness audits, and business-user complaint themes.

Section 5

Regulator readiness: retention, audits, and third-party information

The Commission can take actions to monitor effective implementation and compliance, including requiring retention of relevant documents and appointing independent experts/auditors to assist monitoring.

Third parties can inform national competent authorities or the Commission directly about practices falling within the DMA scope. Treat stakeholder submissions as a predictable input stream.

Retention policy: define what you retain, for how long, and how quickly you can produce it (screens, logs, ranking parameters, API access rules).
Audit drills: run internal "Commission-style" reviews against a sample of obligations per CPS and produce the evidence pack as if requested tomorrow.
Issue intake: centralise business-user and end-user complaints related to DMA obligations; link them to obligations and remediation work items.

Section 6

Practical 30/60/90-day DMA compliance program plan

Use this as a quick-start plan for building the compliance function, monitoring, and evidence library alongside product implementation.

Adjust the sequence per CPS designation date and the 6-month compliance deadline.

30 days: appoint compliance function leadership, define CPS inventory and owners, set evidence standards, and start obligation-to-feature mapping.
60 days: implement monitoring checks for top-risk obligations (consent and data combination, ranking and self-preferencing, app distribution and defaults), and start compliance report drafting skeleton per CPS.
90 days: run audit drills, refine KPIs, ensure machine-readable evidence exports, prepare the profiling-techniques description workstream if applicable, and publish an internal DMA playbook for product teams.

Primary sources