Artifact GuideEU

EU Digital Markets Act (DMA) Gatekeeper Compliance Checklist

A checklist for designated gatekeepers to deliver effective compliance per listed CPS.

Optimised for the 6-month compliance clock and Article 11 evidence requirements.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 23, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 23, 2026
Overview

If you are designated as a DMA gatekeeper (for one or more core platform services), your biggest risks are timing and proof: implementing within the 6-month deadline and being able to demonstrate effective compliance with evidence. This checklist is designed to be run per CPS and aligned to the Commission's Article 11 compliance report template.

Section 1

Phase 0 - Immediately after designation: lock CPS scope and owners

DMA obligations attach to the CPS listed in the designation decision. If CPS boundaries are unclear internally, compliance will be inconsistent and difficult to defend.

Start by building a CPS-by-CPS accountability model: owners, impacted features, and an evidence library structure.

  • Confirm the list of designated CPS and map each CPS to technical systems, teams, and product surfaces.
  • Assign a product owner and a policy/legal owner per CPS; assign an evidence owner who manages artifacts for Article 11 reporting.
  • Create an obligation-to-feature map per CPS for Articles 5-7 and identify "high-impact obligations" that require product change.
Section 2

Phase 1 - Build the compliance program (Article 28) and reporting pipeline

The DMA requires an independent compliance function with sufficient authority, resources, and direct reporting to the management body.

Build the reporting pipeline early: the Article 11 compliance report is easiest when evidence is captured as changes ship.

  • Stand up the compliance function (independent from operations) with a head of compliance and clear responsibilities, reporting line, and annual review cadence.
  • Create a "DMA change control" gate for CPS changes: ranking parameters, default settings, app store policies, interoperability APIs, and ads measurement.
  • Adopt an evidence standard: machine-readable where possible, versioned, with clear mapping to CPS + obligation.
Section 3

Phase 2 - Deliver Articles 5-7 obligations within 6 months

The 6-month compliance deadline is a delivery schedule. Break it into release milestones that ship functionality and evidence in parallel.

Treat the obligations as clusters so teams can parallelise workstreams.

  • Data and consent cluster (Article 5(2), Article 6(2), Article 6(10)): data combination controls, opt-in gates, data access parity, and audit logs.
  • Choice and distribution cluster (Article 6(3)-(4)): uninstall flows, default-setting changes and choice prompts, third-party app stores and app distribution paths, integrity/security exceptions with justification.
  • Ranking fairness cluster (Article 6(5)): remove preferential treatment, implement ranking governance, create parity tests and monitoring.
  • Portability and access cluster (Article 6(9)-(10)): portability tools and continuous/real-time access, documentation, and operational support.
  • Interoperability cluster (Article 6(7), Article 7 where applicable): API access parity, request workflows, reference offers, and SLAs.
Section 4

Phase 3 - Article 11 compliance report: the minimum evidence pack

The Commission's Article 11 compliance report template expects, per CPS and per applicable obligation, a compliance statement and an exhaustive explanation including supporting data and internal documents.

Build your evidence pack to answer: what changed, when, where, why it is compliant, and how you ensure it stays compliant.

  • For each measure: prior state, implementation date, product/service/device scope, geographic scope, and technical/engineering changes (APIs, OS features, ranking parameters, security aspects).
  • For each measure: UX changes (choice screens, consent forms, warning messages, customer journey changes) with recorded demos where relevant.
  • Underlying data readiness: store raw data and metrics that support claims (e.g., default changes take effect; portability APIs succeed; interoperability requests meet SLAs).
Section 5

Phase 4 - Continuous monitoring and enforcement readiness

The Commission can monitor implementation and may require retention of documents relevant to assessing compliance; it can also appoint independent experts/auditors.

Your job is to prevent regressions and answer questions quickly with evidence, not ad hoc narratives.

  • Monitoring checks: automated tests for choice screens, uninstall flows, ranking neutrality, API access parity, portability output correctness, and consent gate enforcement.
  • Incident response for DMA: define how you triage, mitigate, roll back, and communicate compliance-impacting regressions.
  • Stakeholder intake: centralise developer/business-user requests (especially interoperability and access requests) and track them with clear SLAs and escalation paths.
Recommended next step

Turn EU Digital Markets Act (DMA) Gatekeeper Compliance Checklist into an operational assessment

Assessment Autopilot can take EU Digital Markets Act (DMA) Gatekeeper Compliance Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU Digital Markets Act (DMA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU Digital Markets Act (DMA) Gatekeeper Compliance Checklist

Start from EU Digital Markets Act (DMA) Gatekeeper Compliance Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU Digital Markets Act (DMA)

Review your current process, evidence gaps, and next steps for EU Digital Markets Act (DMA) Gatekeeper Compliance Checklist.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

DMA Applicability Test (Gatekeeper Scoping) | EU Digital Markets Act
A practical DMA applicability test for teams scoping EU Digital Markets Act exposure: core platform service (CPS) mapping, gatekeeper presumption thresholds.
DMA Compliance Checklist (Execution-Ready) | EU Digital Markets Act
An execution-ready EU DMA checklist: CPS scoping, gatekeeper thresholds, designation readiness, Article 5-7 obligation mapping, product/engineering controls.
DMA Compliance Program & Monitoring (Compliance Function + Evidence)
How to build an EU DMA compliance program that survives scrutiny: Article 28 compliance function design, monitoring readiness.
DMA Deadlines & Compliance Calendar (Key Dates) | EU Digital Markets Act
A calendar-ready DMA deadlines guide: application date, gatekeeper notification (2 months), designation (45 working days), 6-month compliance deadline.
DMA Do's and Don'ts for Product Teams | EU Digital Markets Act
Practical DMA do's and don'ts for product and engineering teams: how to avoid self-preferencing, implement choice screens and default changes.
DMA Enforcement: Penalties, Remedies, and Process | EU Digital Markets Act
How EU DMA enforcement works: information requests, monitoring, preliminary findings, non-compliance decisions, commitments, interim measures, remedies.
DMA Fines & Penalties (10% / 20% / 1% + 5% per day) | EU Digital Markets Act
A practitioner guide to DMA penalties: non-compliance fines up to 10% worldwide turnover, repeat infringement fines up to 20%, procedural fines up to 1%.
DMA Obligations List (Articles 5, 6, 7) - By Obligation | EU Digital Markets Act
A detailed, obligation-by-obligation breakdown of the EU Digital Markets Act (DMA): Article 5 restrictions, Article 6 obligations (choice screens, app stores.
DMA Self-Preferencing Compliance Examples (Article 6(5)) | EU Digital Markets Act
Practical self-preferencing compliance guidance for DMA Article 6(5): what counts as self-preferencing in ranking/indexing/crawling, what "transparent, fair.
DMA vs DSA: What's the Difference? (EU Platform Laws)
A practical comparison of the EU Digital Markets Act (DMA) vs the Digital Services Act (DSA): what each law regulates, who is in scope, core obligations.
EU Digital Markets Act (DMA) Requirements (Articles 5-7)
A deep, execution-ready overview of EU DMA requirements for gatekeepers: Article 5 restrictions, Article 6 obligations (choice screens, app distribution.
EU DMA Compliance Guide (How to Comply) | Digital Markets Act (DMA)
A practical guide to EU Digital Markets Act (DMA) compliance: how to scope CPS, start the 6-month clock after designation, implement Articles 5-7 obligations.
EU DMA FAQ (Gatekeepers, Obligations, Deadlines) | Digital Markets Act
EU Digital Markets Act (DMA) FAQ: what is a gatekeeper, what counts as a core platform service (CPS), what are the key obligations (Articles 5-7).
EU DMA Timeline & Key Milestones | Digital Markets Act (2022/1925)
A grounded EU Digital Markets Act (DMA) timeline: application date, gatekeeper designations, compliance clocks, Article 7 staged interoperability milestones.
Gatekeeper Designation Guide (DMA Article 3) | EU Digital Markets Act
A practical guide to DMA gatekeeper designation: core platform service mapping, Article 3 thresholds (45M / 10,000 / EUR 7.5B / EUR 75B).