---
title: "DMA Compliance Program & Monitoring (Compliance Function + Evidence)"
canonical_url: "https://www.sorena.io/artifacts/eu/digital-markets-act/compliance-program-and-monitoring"
source_url: "https://www.sorena.io/artifacts/eu/digital-markets-act/compliance-program-and-monitoring"
author: "Sorena AI"
description: "How to build an EU DMA compliance program that survives scrutiny: Article 28 compliance function design, monitoring readiness."
published_at: "2026-02-21"
updated_at: "2026-02-23"
keywords:
  - "DMA compliance program"
  - "DMA monitoring"
  - "Article 28 compliance function"
  - "Article 11 compliance report template"
  - "DMA evidence pack"
  - "DMA audit readiness"
  - "Digital Markets Act compliance program"
  - "gatekeeper compliance monitoring"
  - "DMA compliance function"
  - "Article 11 compliance report"
  - "evidence library"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# DMA Compliance Program & Monitoring (Compliance Function + Evidence)

How to build an EU DMA compliance program that survives scrutiny: Article 28 compliance function design, monitoring readiness.

*Artifact Guide* *EU*

## EU Digital Markets Act (DMA) Compliance Program & Monitoring

Design a DMA compliance function, evidence library, and monitoring layer that scales across CPS.

Aligned to Articles 5-7 obligations and the Commission's Article 11 compliance report expectations.

DMA compliance fails most often where governance is vague: unclear owners, missing evidence, and "one-off" product changes that drift over time. The DMA explicitly requires a compliance function (Article 28) and expects transparent, detailed reporting on measures for Articles 5-7. This guide shows how to build a DMA compliance program that stays correct as products evolve.

## Start with the DMA operating model: CPS-by-CPS compliance ownership

DMA obligations attach to each core platform service (CPS) listed in the designation decision. Your compliance program should mirror that structure.

Use a "CPS control plane" approach: one governance model, replicated per CPS, with shared evidence standards and monitoring patterns.

- Create CPS owners: one product owner + one policy/legal owner per CPS.
- Create obligation owners: data combination/consent, ranking and self-preferencing, app distribution and defaults, interoperability and APIs, ads transparency and measurement.
- Maintain a single evidence standard across CPS (naming, retention, versioning, and exportability).

*Recommended next step*

*Placement: after the compliance steps*

## Turn EU Digital Markets Act (DMA) Compliance Program & Monitoring into an operational assessment

Assessment Autopilot can take EU Digital Markets Act (DMA) Compliance Program & Monitoring from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU Digital Markets Act (DMA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for EU Digital Markets Act (DMA) Compliance Program & Monitoring](/solutions/assessment.md): Start from EU Digital Markets Act (DMA) Compliance Program & Monitoring and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through EU Digital Markets Act (DMA)](/contact.md): Review your current process, evidence gaps, and next steps for EU Digital Markets Act (DMA) Compliance Program & Monitoring.

## Article 28 compliance function: what "independent" means in practice

The DMA requires gatekeepers to introduce a compliance function independent from operational functions, composed of one or more compliance officers (including a head of compliance).

The compliance function must have sufficient authority, stature, resources, and access to the management body to monitor compliance.

- Reporting line: head of compliance reports directly to the management body and can raise concerns and warn of non-compliance risks.
- Independence controls: separation of responsibilities, conflict-of-interest prevention, and protected removal conditions (head not removed without management approval).
- Task list: organise/monitor/supervise DMA measures, advise employees, monitor binding commitments where relevant, and cooperate with the Commission.

## Article 11 compliance reporting: build the evidence library before you need it

The Commission's Article 11 compliance report template is effectively a checklist for evidence. It expects a compliance statement and an exhaustive explanation per CPS and per applicable obligation (Articles 5-7).

A good evidence library is engineering-grade: it includes both "what changed" and "why it is compliant", backed by data and internal documentation.

- For each obligation: record prior state, implementation date, product/service/device scope, geographic scope, and the technical/engineering changes made.
- Include supporting artifacts: data points, visual illustrations, recorded demos, API documentation, ranking parameter explanations, and security integrity justifications.
- Store underlying raw data ready for Commission requests; keep the report, annexes, non-confidential summary, and exports machine-readable where possible.
- Track retention policy explicitly because the Article 11 template expects gatekeepers to disclose document-retention treatment without undue delay.

## Monitoring layer: make compliance measurable and continuously testable

DMA compliance is dynamic: ranking changes, consent screens drift, defaults regress, and APIs evolve. Monitoring is how you prevent "compliance decay."

Design monitoring so a regulator question can be answered with: evidence -> metric -> control -> owner.

- Control monitoring: automated checks for default-setting prompts, uninstall flows, app-store access rules, ranking neutrality tests, and data-sharing permission gates.
- Change control: DMA review gates in product launch processes for CPS changes, A/B experiments, and policy updates.
- KPI dashboards: track portability request volumes, interoperability request SLAs, consent refusal rates, ranking fairness audits, and business-user complaint themes.

## Regulator readiness: retention, audits, and third-party information

The Commission can take actions to monitor effective implementation and compliance, including requiring retention of relevant documents and appointing independent experts/auditors to assist monitoring.

Third parties can inform national competent authorities or the Commission directly about practices falling within the DMA scope. Treat stakeholder submissions as a predictable input stream.

- Retention policy: define what you retain, for how long, and how quickly you can produce it (screens, logs, ranking parameters, API access rules).
- Audit drills: run internal "Commission-style" reviews against a sample of obligations per CPS and produce the evidence pack as if requested tomorrow.
- Issue intake: centralise business-user and end-user complaints related to DMA obligations; link them to obligations and remediation work items.

## Practical 30/60/90-day DMA compliance program plan

Use this as a quick-start plan for building the compliance function, monitoring, and evidence library alongside product implementation.

Adjust the sequence per CPS designation date and the 6-month compliance deadline.

- 30 days: appoint compliance function leadership, define CPS inventory and owners, set evidence standards, and start obligation-to-feature mapping.
- 60 days: implement monitoring checks for top-risk obligations (consent and data combination, ranking and self-preferencing, app distribution and defaults), and start compliance report drafting skeleton per CPS.
- 90 days: run audit drills, refine KPIs, ensure machine-readable evidence exports, prepare the profiling-techniques description workstream if applicable, and publish an internal DMA playbook for product teams.

## Primary sources

- [Regulation (EU) 2022/1925 (Digital Markets Act) - Official Journal](https://eur-lex.europa.eu/eli/reg/2022/1925/oj?ref=sorena.io) - Compliance function requirements (Article 28) and Commission monitoring powers (Article 26), plus obligations baseline (Articles 5-7).
- [European Commission - Article 11 DMA Compliance Report Template (9 Oct 2023)](https://digital-markets-act.ec.europa.eu/about-dma/practical-information_en#templates?ref=sorena.io) - Evidence expectations for compliance reporting (per CPS and per obligation) and annual update cadence.
- [European Commission - Further information about the DMA (Q&A)](https://digital-markets-act.ec.europa.eu/questions-and-answers/further-information-about-dma_en?ref=sorena.io) - Submission channels and stakeholder interaction patterns that feed monitoring and issue intake.
- [European Commission - Gatekeepers list and designated core platform services](https://digital-markets-act.ec.europa.eu/gatekeepers_en?ref=sorena.io) - CPS-level scope and designation examples for building CPS-by-CPS governance.
- [DG Competition - EU SEND secure document exchange platform](https://competition-policy.ec.europa.eu/index/it-tools/eu-send_en?ref=sorena.io) - Secure document submission mechanism often used in DMA-related exchanges.

## Related Topic Guides

- [DMA Applicability Test (Gatekeeper Scoping) | EU Digital Markets Act](/artifacts/eu/digital-markets-act/applicability-test.md): A practical DMA applicability test for teams scoping EU Digital Markets Act exposure: core platform service (CPS) mapping, gatekeeper presumption thresholds.
- [DMA Compliance Checklist (Execution-Ready) | EU Digital Markets Act](/artifacts/eu/digital-markets-act/checklist.md): An execution-ready EU DMA checklist: CPS scoping, gatekeeper thresholds, designation readiness, Article 5-7 obligation mapping, product/engineering controls.
- [DMA Deadlines & Compliance Calendar (Key Dates) | EU Digital Markets Act](/artifacts/eu/digital-markets-act/deadlines-and-compliance-calendar.md): A calendar-ready DMA deadlines guide: application date, gatekeeper notification (2 months), designation (45 working days), 6-month compliance deadline.
- [DMA Do's and Don'ts for Product Teams | EU Digital Markets Act](/artifacts/eu/digital-markets-act/dos-and-donts-for-product-teams.md): Practical DMA do's and don'ts for product and engineering teams: how to avoid self-preferencing, implement choice screens and default changes.
- [DMA Enforcement: Penalties, Remedies, and Process | EU Digital Markets Act](/artifacts/eu/digital-markets-act/enforcement-penalties-and-remedies.md): How EU DMA enforcement works: information requests, monitoring, preliminary findings, non-compliance decisions, commitments, interim measures, remedies.
- [DMA Fines & Penalties (10% / 20% / 1% + 5% per day) | EU Digital Markets Act](/artifacts/eu/digital-markets-act/penalties-and-fines.md): A practitioner guide to DMA penalties: non-compliance fines up to 10% worldwide turnover, repeat infringement fines up to 20%, procedural fines up to 1%.
- [DMA Obligations List (Articles 5, 6, 7) - By Obligation | EU Digital Markets Act](/artifacts/eu/digital-markets-act/core-obligations-by-obligation.md): A detailed, obligation-by-obligation breakdown of the EU Digital Markets Act (DMA): Article 5 restrictions, Article 6 obligations (choice screens, app stores.
- [DMA Self-Preferencing Compliance Examples (Article 6(5)) | EU Digital Markets Act](/artifacts/eu/digital-markets-act/self-preferencing-compliance-examples.md): Practical self-preferencing compliance guidance for DMA Article 6(5): what counts as self-preferencing in ranking/indexing/crawling, what "transparent, fair.
- [DMA vs DSA: What's the Difference? (EU Platform Laws)](/artifacts/eu/digital-markets-act/dma-vs-dsa.md): A practical comparison of the EU Digital Markets Act (DMA) vs the Digital Services Act (DSA): what each law regulates, who is in scope, core obligations.
- [EU Digital Markets Act (DMA) Requirements (Articles 5-7)](/artifacts/eu/digital-markets-act/requirements.md): A deep, execution-ready overview of EU DMA requirements for gatekeepers: Article 5 restrictions, Article 6 obligations (choice screens, app distribution.
- [EU DMA Compliance Guide (How to Comply) | Digital Markets Act (DMA)](/artifacts/eu/digital-markets-act/compliance.md): A practical guide to EU Digital Markets Act (DMA) compliance: how to scope CPS, start the 6-month clock after designation, implement Articles 5-7 obligations.
- [EU DMA FAQ (Gatekeepers, Obligations, Deadlines) | Digital Markets Act](/artifacts/eu/digital-markets-act/faq.md): EU Digital Markets Act (DMA) FAQ: what is a gatekeeper, what counts as a core platform service (CPS), what are the key obligations (Articles 5-7).
- [EU DMA Timeline & Key Milestones | Digital Markets Act (2022/1925)](/artifacts/eu/digital-markets-act/timeline-and-key-milestones.md): A grounded EU Digital Markets Act (DMA) timeline: application date, gatekeeper designations, compliance clocks, Article 7 staged interoperability milestones.
- [Gatekeeper Compliance Checklist (DMA Articles 5-7 + Article 11)](/artifacts/eu/digital-markets-act/gatekeeper-compliance-checklist.md): A gatekeeper-focused DMA compliance checklist: what to implement within 6 months per listed CPS, how to structure the Article 11 compliance report.
- [Gatekeeper Designation Guide (DMA Article 3) | EU Digital Markets Act](/artifacts/eu/digital-markets-act/gatekeeper-designation-guide.md): A practical guide to DMA gatekeeper designation: core platform service mapping, Article 3 thresholds (45M / 10,000 / EUR 7.5B / EUR 75B).


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/digital-markets-act/compliance-program-and-monitoring