Compliance ChecklistEU DMA

DMA gatekeeper compliance checklist

Check a designated gatekeeper's core platform services against the Digital Markets Act obligations that matter operationally: Articles 5, 6 and 7, Article 11 reporting evidence, Article 13 anti-circumvention, and Article 28 compliance governance.

Use one row per designated core platform service and obligation so legal, product, engineering, data, developer relations, advertising, and compliance-function owners can prove what changed and where the evidence lives.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This checklist is for DMA work after an undertaking has been designated as a gatekeeper and a core platform service has been listed in the designation decision. It turns the Article 5, 6 and 7 obligations into owner, control, evidence, and review fields that can feed the Article 11 compliance report and the non-confidential summary.

Section 1

1. Confirm the designated gatekeeper and core platform service boundary

Start with the Commission designation decision, not with a product roadmap label. Article 3 requires the designation decision to list the relevant core platform services, and Article 5, Article 6 and Article 7 apply with respect to each listed service.

A checklist row should be opened only when it names the designated undertaking, the listed core platform service, the obligation article and paragraph, the affected business-user or end-user group, and the system or policy owner that can change the service.

  • Check: record the designated gatekeeper name, listed core platform service, case or designation reference, service category, EEA user/business-user population affected, and whether the obligation is applicable to that service. Owner: DMA legal lead. Evidence: designation extract, service boundary note, product inventory, and Article 3(9) listing reference.
  • Check: document why an Article 5, 6 or 7 obligation is in scope, out of scope by nature, or requires Commission specification under Article 8. Owner: legal plus product counsel. Evidence: article-and-paragraph mapping, written non-applicability rationale where used, and escalation note for any Article 8 request.
  • Check: make the CPS boundary resilient against product bundling, country domains, device-specific variants, or internal naming changes. Owner: platform architecture and legal. Evidence: CPS boundary diagram, entity/service ownership table, and release-change impact assessment.
Sources for this answer
Regulation (EU) 2022/1925 (Digital Markets Act)
Supports the checklist scope rule: gatekeeper obligations attach to core platform services listed in a designation decision.
European Commission DMA gatekeepers page
Commission page identifying designated gatekeepers, designated core platform services, and links to compliance reports and case materials.
Section 2

2. Check Article 5 obligations that should be hard-coded in policy and product controls

Article 5 obligations are directly framed as conduct rules. The checklist should translate each relevant paragraph into an enforceable product, commercial, advertising, payments, account, or complaint-handling control.

Do not close an Article 5 row with a policy statement alone. The row should show the user journey, contract term, system rule, monitoring metric, and exception path that make the obligation effective.

  • Article 5(2) personal-data combination and cross-use: verify consent presentation, refusal and withdrawal handling, one-year repeat-request control, data-flow blocks, and use of any separate legal basis. Owner: privacy engineering and data governance. Evidence: consent UI captures, data lineage, purpose controls, refusal logs, and monitoring for repeat prompts.
  • Article 5(3)-(5) business-user offer and end-user access rights: verify that business users can offer different prices or conditions elsewhere, communicate and promote offers to acquired users, conclude contracts, and let users access externally acquired content or subscriptions. Owner: marketplace/product policy. Evidence: seller terms, app review rules, pricing-policy tests, and customer-journey demos.
  • Article 5(6) complaints and authority access: verify contracts, support scripts, developer policies, and enforcement workflows do not restrict business users or end users from raising non-compliance issues with public authorities. Owner: legal operations. Evidence: clause review, support-training record, complaint-channel logs, and exception approvals.
  • Article 5(7)-(8) tying checks: verify that use of gatekeeper identification, browser engine, payment, payment-supporting technical services, or further core platform services is not required as a condition for access where Article 5 prohibits it. Owner: payments, identity, browser/platform product leads. Evidence: integration requirements, developer documentation, product acceptance tests, and rejection-reason samples.
  • Article 5(9)-(10) advertising transparency: verify that advertisers and publishers, or their authorised third parties, can receive the required daily free-of-charge price, fee, remuneration, deduction, surcharge, and metric information. Owner: ads product and billing data. Evidence: API or report specification, access logs, sample daily exports, consent fallback logic, and metric definitions.
Sources for this answer
Regulation (EU) 2022/1925 (Digital Markets Act)
Binding source for Article 5 gatekeeper obligations on personal data, business-user offers, complaints, tying, and advertising transparency.
European Commission Article 11 compliance report template
Explains the evidence expected for each applicable Article 5 to 7 obligation, including supporting data, internal documents, and user-interface evidence.
Section 3

3. Check Article 6 and Article 7 technical access, interoperability, and fairness controls

Article 6 contains obligations that often need engineering, data, ranking, default-setting, interoperability, portability, and access-control evidence. Article 7 adds a specific interoperability regime for number-independent interpersonal communications services where that service is listed in the designation decision.

For each technical access obligation, the owner field should name both the policy approver and the system team that can prove the API, interface, data export, ranking change, or default-setting change works in production.

  • Article 6(2) non-public business-user data: verify that the gatekeeper does not use non-public business-user or customer-generated data to compete with those business users. Owner: data governance and competitive-use review board. Evidence: data-use policy, model/training exclusions, access-control logs, and product-launch review records.
  • Article 6(3)-(4) uninstall, default, third-party app, and app-store access: verify uninstall flows, default-choice prompts, third-party app or app-store installation, and security measures that are strictly necessary and proportionate. Owner: operating-system product and security architecture. Evidence: click-by-click user journeys, release notes, security justification, and test results.
  • Article 6(5) ranking fairness: verify that ranking, indexing, and crawling do not treat the gatekeeper's own products more favourably than similar third-party products and use transparent, fair, non-discriminatory conditions. Owner: search, discovery, and ranking governance. Evidence: ranking policy, algorithm-change approvals, test cohorts, and complaint triage.
  • Article 6(7) interoperability with OS, virtual assistant, hardware, and software features: verify free effective interoperability and access to the same features available to the gatekeeper's own services, with any integrity/security/privacy limits justified. Owner: platform APIs, developer relations, and security. Evidence: public request process, API documentation, request register, denial reasons, security analysis, and developer feedback.
  • Article 6(8)-(11) advertising measurement, data portability, business-user data access, and search data access: verify free access for authorised parties, continuous and real-time access where required, personal-data consent controls where required, and anonymisation for search data. Owner: ads measurement, data portability, business data, and search data teams. Evidence: API schema, access logs, consent logic, data-retention policy, auditability statement, and sample exports.
  • Article 6(12)-(13) access and termination terms: verify FRAND general conditions for app stores, online search engines, and online social networking services, an alternative dispute settlement mechanism, and termination conditions that are not disproportionate or unduly difficult. Owner: commercial policy and business-user operations. Evidence: published terms, dispute pathway, termination-flow test, and business-user feedback.
  • Article 7 communications interoperability: if the listed CPS is a number-independent interpersonal communications service, verify the reference offer, requested basic functionalities, free-of-charge access, security and end-to-end encryption preservation, strictly necessary data exchange, and proportional integrity/security/privacy measures. Owner: messaging platform, privacy/security, and developer relations. Evidence: reference offer, interoperability request log, technical interface documentation, security assessment, and three-month request-response tracker.
Sources for this answer
Regulation (EU) 2022/1925 (Digital Markets Act)
Binding source for Article 6 and Article 7 obligations on data use, defaults, app access, ranking, interoperability, portability, data access, FRAND access, and communications interoperability.
European Commission DMA resources for businesses
Commission page listing business-facing resources for Article 6(7) interoperability, Article 6(9) data portability, and Article 6(10) data access.
European Commission DMA interoperability questions and answers
Commission Q&A explaining Article 6(7) interoperability expectations and specification decisions for iOS and iPadOS features.
Section 4

4. Build the Article 11 evidence pack for each checklist row

Article 11 requires a detailed and transparent report describing the measures implemented to ensure compliance with Articles 5, 6 and 7, plus a non-confidential summary. The Commission template makes the evidence standard concrete: each obligation and each core platform service needs a standalone explanation with supporting data and internal documents.

The evidence pack should be usable by the compliance function, management body, external counsel or technical experts, and Commission reviewers without relying on undocumented project history.

  • Required field: compliance statement. Capture the undertaking name, date of compliance statement, exact DMA article and paragraph, listed CPS, approver, and version. Owner: head of compliance function. Evidence: signed statement and report annex identifier.
  • Required field: implemented measure. Describe the pre-measure situation, implementation timing, product/service/device scope, geographic scope, technical or engineering changes, customer-experience changes, remuneration or terms changes, and relationship with other DMA measures. Owner: product and engineering. Evidence: release records, demos, screenshots, API specs, terms diffs, and metric definitions.
  • Required field: effectiveness assessment. Record the test, audit, survey, A/B test, consent-rate analysis, business-user feedback, indicator, or monitoring output that shows whether the measure achieves the obligation objective. Owner: compliance monitoring and analytics. Evidence: methodology, raw-data readiness note, results, indicator dashboard, and internal-system output.
  • Required field: third-party access procedure. For data, interface, API, OS-feature, or technical-feature access, document how eligible third parties are informed, how requests are submitted, the scope and format of access, frequency or real-time characteristics, auditability, data-retention rules, and secure-access measures. Owner: developer relations, data platform, and security. Evidence: public documentation, access queue, approval/denial reasons, API logs, and retention policy.
  • Required field: non-confidential summary. Prepare a faithful standalone summary by CPS and obligation, using meaningful ranges or aggregated data where confidential numerical data cannot be published. Owner: legal and compliance communications. Evidence: public summary draft, confidentiality review, redaction log, and link to the underlying confidential annex.
Sources for this answer
Regulation (EU) 2022/1925 (Digital Markets Act)
Supports the Article 11 reporting requirement and the annual update requirement for the compliance report and non-confidential summary.
European Commission Article 11 compliance report template
Commission template for the compliance-report fields, including implemented measures, supporting data, audits, user feedback, indicators, and non-confidential summary structure.
Section 5

5. Anti-circumvention and review gates before closing a checklist row

A DMA checklist row should not close merely because a control exists. Article 8 requires the gatekeeper to ensure and demonstrate effective compliance, and Article 13 prohibits contractual, commercial, technical, interface-design, or other behaviour that undermines effective compliance.

Use these gates whenever a feature ships, a policy changes, an API is launched or restricted, a business-user complaint identifies friction, or a Commission request or specification process affects the row.

  • Anti-circumvention gate: reject the row if a service boundary, product split, contract term, technical design, consent path, or interface pattern makes Articles 5, 6 or 7 rights harder to exercise or degrades the conditions or quality for users who exercise them. Owner: compliance function and product counsel. Evidence: Article 13 review, UX neutrality check, and exception log.
  • Security and privacy gate: where the DMA allows integrity, security, privacy, or similar protective measures, record why the measure is strictly necessary and proportionate and why less restrictive means are not sufficient. Owner: security architecture and privacy. Evidence: threat model, proportionality memo, privacy assessment, and approval record.
  • Compliance-function gate: confirm the Article 28 compliance function has sufficient authority, resources, management-body access, and independence from operational functions for the row. Owner: head of compliance function. Evidence: compliance-function report, management-body reply, annual strategy or policy review, and resource record.
  • Reopen gate: reopen the row when the designation list changes, the CPS boundary changes, an Article 8 specification process starts or ends, an Article 11 annual update is due, a material user or business-user complaint arrives, a Commission information request targets the row, or monitoring data shows the measure is not effective. Owner: compliance monitoring. Evidence: trigger register, reassessment decision, and updated report annex.
  • Close gate: close only after the legal obligation, owner, implemented control, production evidence, monitoring indicator, Article 11 report field, non-confidential summary treatment, and next review trigger are all populated. Owner: accountable business executive and head of compliance function. Evidence: closure approval and evidence-location index.
Sources for this answer
Regulation (EU) 2022/1925 (Digital Markets Act)
Binding source for Article 8 effective compliance, Article 13 anti-circumvention, Article 26 monitoring, and Article 28 compliance-function requirements.
European Commission Article 11 compliance report template
Supports the checklist requirement to keep report-ready evidence, monitoring outputs, user feedback, compliance-function records, and non-confidential summaries.
Recommended next step

Use this checklist to prepare Article 11 evidence

Sorena can help structure DMA gatekeeper questions into obligation rows, owner assignments, source citations, evidence requests, and report-ready summaries for each designated core platform service.

Research workflow
Open Research Copilot for DMA

Ask cited questions about DMA gatekeeper obligations, core platform service scope, Article 11 evidence, and interoperability or data-access controls.

Explore next step
Talk to Sorena
Talk through implementation

Review DMA checklist gaps, owner fields, and report evidence for designated core platform services with Sorena.

Explore next step
Primary sources

References and citations

European Commission Article 11 compliance report template
digital-markets-act.ec.europa.eu
Referenced sections
  • Supports the checklist requirement to keep report-ready evidence, monitoring outputs, user feedback, compliance-function records, and non-confidential summaries.
"underlying raw data ready to be made available"
European Commission DMA gatekeepers page
digital-markets-act.ec.europa.eu
Referenced sections
  • Commission page identifying designated gatekeepers, designated core platform services, and links to compliance reports and case materials.
"23 core platform services provided by those gatekeepers are currently designated"
European Commission DMA interoperability questions and answers
digital-markets-act.ec.europa.eu
Referenced sections
  • Commission Q&A explaining Article 6(7) interoperability expectations and specification decisions for iOS and iPadOS features.
"free and effective interoperability with hardware and software features"
European Commission DMA resources for businesses
digital-markets-act.ec.europa.eu
Referenced sections
  • Commission page listing business-facing resources for Article 6(7) interoperability, Article 6(9) data portability, and Article 6(10) data access.
"Article 6(7) - Interoperability with OS features"
Regulation (EU) 2022/1925 (Digital Markets Act)
eur-lex.europa.eu
Referenced sections
  • Binding source for Article 8 effective compliance, Article 13 anti-circumvention, Article 26 monitoring, and Article 28 compliance-function requirements.
"shall not engage in any behaviour that undermines effective compliance"
Related guides

Explore more topics

DMA Anti-Circumvention Design Review for Gatekeeper Product Changes
Review DMA Article 13 anti-circumvention risks in gatekeeper product, interface, contractual, commercial, and technical changes with obligation mapping and evidence records.
DMA Article 11 Compliance Report Template FAQ
How gatekeepers should use the DMA Article 11 compliance report template to document obligation-by-obligation measures, evidence, updates, and non-confidential summaries.
DMA Article 6 Business User Data Access Guide
Grounded guide to EU Digital Markets Act Article 6 data access for business users, end users, authorised third parties, consent boundaries, and evidence handoffs.
DMA Article 6(7) and Article 7 interoperability obligations
Grounded guide to DMA interoperability duties: Article 6(7) operating-system feature access, Article 7 messaging interoperability, request handling, security conditions, and compliance evidence.
DMA Articles 5, 6 and 7 obligations mapped to CPS evidence
Map EU Digital Markets Act Articles 5, 6 and 7 obligations to affected core platform services, product evidence, legal owners, and Article 11 compliance-report artifacts.
DMA compliance program and monitoring for gatekeepers
Build a DMA compliance program around Article 8 effective compliance, Article 11 reporting evidence, Article 13 anti-circumvention controls, and Article 28 compliance-function governance.
DMA Core Platform Service Scoping
Scope EU Digital Markets Act core platform services by service category, designation evidence, user thresholds, and Form GD service-boundary records.
DMA core platform services FAQ
FAQ on EU Digital Markets Act core platform services: Article 2 service categories, gatekeeper designation evidence, user thresholds, service scoping, and Article 11 reporting.
DMA CPS Obligation Matrix Workflow: Articles 5, 6, 7 and Article 11 Evidence
Build a DMA core platform service obligation matrix that links each designated CPS to Articles 5, 6 and 7 duties, product owners, designation evidence, Article 11 report artifacts and review gates.
DMA designation intake workflow for gatekeeper notifications
Build a grounded DMA designation intake record covering core platform service classification, Article 3 thresholds, Form GD evidence, Commission handoff, and Article 11 readiness.
DMA enforcement, penalties, and remedies: Commission powers and evidence
EU Digital Markets Act enforcement guide covering Commission non-compliance decisions, DMA fine caps, periodic penalty payments, remedies, interim measures, commitments, and Article 11 evidence.
DMA Gatekeeper Designation Guide: Article 3 thresholds, Form GD, and Article 11 readiness
A grounded EU Digital Markets Act guide for assessing Article 3 gatekeeper thresholds, scoping core platform services, preparing Form GD evidence, handling rebuttal annexes, and planning Article 11 compliance reporting.
DMA gatekeeper thresholds: what counts and when to notify
Standalone FAQ on the EU Digital Markets Act gatekeeper thresholds, Article 3 notification timing, Form GD evidence, and active user-count methodology.
DMA interoperability requests: Article 7 and Commission guidance
How EU Digital Markets Act interoperability requests work for Article 7 messaging services, Article 6(7) operating-system access, gatekeeper evidence, requester evidence, and security safeguards.
DMA penalties and fines: caps, triggers, and enforcement evidence
EU Digital Markets Act penalties guide covering Article 30 fine caps, Article 31 periodic penalty payments, non-compliance decisions, remedies, and evidence records.
DMA Product Change Review Workflow for Articles 5, 6, 7, 11 and 13
Review DMA-relevant product releases for Article 5, Article 6, Article 7, anti-circumvention, Article 11 evidence, and product-owner/legal signoff.
DMA Self-Preferencing Compliance Examples for Ranking and Display
Examples and release-review controls for DMA Article 6(5) self-preferencing checks across ranking, indexing, crawling, search results, marketplaces, app stores, feeds, and virtual assistants.
DMA vs Data Act: gatekeeper duties compared with EU data-sharing rules
Compare the EU Digital Markets Act and EU Data Act by scope, actors, data access, interoperability, reporting, evidence, and enforcement without merging distinct obligations.
DMA vs DSA: Digital Markets vs Services Act
A grounded comparison of the DMA and DSA focused on gatekeepers, core platform services, DMA obligations, Article 11 reporting, interoperability, data access, and enforcement.
DMA vs EU competition law: gatekeeper obligations, Article 11 evidence, and enforcement
Compare the EU Digital Markets Act with EU competition law: ex ante gatekeeper and core platform service duties, Articles 5 to 7, Article 11 reports, penalties, and evidence records.
DMA vs GDPR: gatekeeper data obligations compared
Compare DMA gatekeeper obligations with high-level GDPR overlap for consent, combining personal data, data access, portability, and Article 11 reporting.
EU Digital Markets Act Article 11 Evidence Calendar
Build a source-grounded DMA Article 11 compliance report calendar with evidence owners, annual update checkpoints, report sections, and review gates.
EU Digital Markets Act checklist for gatekeeper compliance
A source-grounded DMA checklist for designated gatekeepers and core platform services, covering scope, Articles 5, 6 and 7 obligations, Article 11 reporting, evidence, anti-circumvention, and governance.
EU Digital Markets Act compliance: gatekeeper obligations and evidence
DMA compliance guide for designated gatekeepers: core platform service scoping, Articles 5, 6 and 7 controls, Article 11 reports, anti-circumvention checks, interoperability evidence, and enforcement risk.
EU Digital Markets Act deadlines and compliance calendar
Track DMA notification, designation, six-month obligation start, Article 11 reporting, Article 14 concentration notices, Article 15 profiling audits, and preparation milestones using official EU sources.
EU Digital Markets Act FAQ: gatekeepers, DMA obligations, reports, and enforcement
Concise FAQ on the EU Digital Markets Act for gatekeeper designation, core platform services, Articles 5, 6 and 7 obligations, Article 11 reports, interoperability, business-user data access, compliance evidence, and enforcement.
EU Digital Markets Act requirements for gatekeepers
DMA requirements for designated gatekeepers: core platform service scope, Articles 5, 6 and 7 obligations, Article 11 reporting, anti-circumvention, evidence, remedies, and fines.
EU Digital Markets Act Timeline and Key Milestones: practical obligations and evidence guide
Practical EU Digital Markets Act guide to Timeline and Key Milestones: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU DMA Applicability Test: gatekeeper thresholds, core platform services, and evidence
Test whether the EU Digital Markets Act may apply to a platform service using the DMA gatekeeper criteria, core platform service categories, EU user thresholds, notification steps, and evidence records.
EU DMA Article 11 Compliance Reporting Guide
Source-grounded guide to EU Digital Markets Act Article 11 compliance reports: report purpose, template evidence, non-confidential summaries, annual updates, and submission steps.
EU DMA do's and don'ts for product teams
Product release checks for designated DMA gatekeepers: Article 5, 6 and 7 obligations, anti-circumvention review, data access, interoperability, self-preferencing and Article 11 evidence.
What do DMA Articles 5, 6, and 7 require from gatekeepers?
FAQ explaining how EU Digital Markets Act Articles 5, 6, and 7 group gatekeeper obligations, what product evidence they require, and how Article 11 reporting connects.