Artifact GuideEU

EU Digital Markets Act (DMA) Requirements

What a designated gatekeeper must do (and must not do) under DMA Articles 5-7.

Built for implementation: product requirements, engineering changes, monitoring checks, and evidence for the Article 11 compliance report.

Back to main artifact Review sources

Author

Sorena AI

Published

Feb 21, 2026

Updated

Feb 23, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Feb 21, 2026

Updated Feb 23, 2026

Overview

DMA requirements are not "policy only". They translate into product requirements (choice screens, default settings, ranking), architecture requirements (data separation, portability tools), and operational requirements (compliance function, reporting, monitoring). Use this page as your EU Digital Markets Act (DMA) requirements baseline once a core platform service is listed in a gatekeeper designation decision.

Section 1

What changes after gatekeeper designation

The DMA applies to core platform services (CPS) listed in the designation decision. For each listed CPS, the gatekeeper must comply with the obligations in Articles 5, 6, and 7 within 6 months after listing.

In practice, DMA requirements become cross-functional work: legal interpretation, product requirement writing, engineering implementation, commercial terms updates, and evidence-building for regulator scrutiny.

Treat each CPS as its own compliance surface (app store, OS, browser, social network, ads stack, etc.).
Design for auditability: document the "why" behind choices, especially where integrity/security exceptions are relied on.
Plan evidence from day one: demos, screenshots, API docs, metrics, and change logs are part of compliance.

Section 2

Article 5 requirements (prohibited or tightly constrained practices)

Article 5 contains obligations that often require immediate product and data-control changes, especially for advertising, consent, and business-user commercial terms.

These requirements are frequently tested via complaints and enforcement narratives because they affect user choice and business-user steering directly.

Personal data combination/cross-use: do not combine personal data across CPS and other services unless the end user has a specific choice and consent; if refused/withdrawn, do not re-request for the same purpose more than once within a year.
Anti-steering for business users: do not prevent business users from offering different prices/conditions through other channels; allow business users to communicate/promote offers to end users and conclude contracts with end users acquired via the CPS.
No forced use of gatekeeper services: do not require the gatekeeper's identification service, browser engine, payment service, or in-app payment technical services for business users' services using the CPS.
Ads transparency: provide daily information to advertisers and publishers about prices/fees/remuneration and the metrics used (subject to the consent constraints described in the DMA).

Recommended next step

Turn EU Digital Markets Act (DMA) Requirements into an operational assessment

Assessment Autopilot can take EU Digital Markets Act (DMA) Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU Digital Markets Act (DMA) can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow

Open Assessment Autopilot for EU Digital Markets Act (DMA) Requirements

Start from EU Digital Markets Act (DMA) Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step

Talk to Sorena

Talk through EU Digital Markets Act (DMA)

Review your current process, evidence gaps, and next steps for EU Digital Markets Act (DMA) Requirements.

Explore next step

Section 3

Article 6 requirements (choice, access, ranking fairness, data access)

Article 6 turns DMA compliance into "build and operate" workstreams: uninstallability, default settings and choice screens, app distribution, ranking neutrality, data portability, and continuous data access for business users.

Many Article 6 obligations are susceptible of being further specified under Article 8, so your implementation should be measurable, testable, and explainable.

Data advantage controls: do not use non-public business-user data to compete against business users (including inferred aggregated data such as click, search, view, and voice data).
Choice and defaults: enable easy app uninstall (except essential OS/device apps); enable changing defaults; prompt end users at first use to choose among main providers for search engine, virtual assistant, and browser where applicable.
Third-party apps and app stores: allow installation and effective use of third-party apps/app stores using or interoperating with the OS; allow access by means other than the gatekeeper's CPS, subject to strictly necessary and proportionate integrity/security measures.
No self-preferencing: do not treat the gatekeeper's services more favourably in ranking/indexing/crawling; apply transparent, fair, non-discriminatory ranking conditions.
Portability and access: provide effective data portability tools and continuous/real-time access for end users; provide business users continuous/real-time access to aggregated and non-aggregated data generated in CPS use (with opt-in consent where personal data is involved).
FRAND access terms: apply fair, reasonable, and non-discriminatory conditions of access for business users to app stores, search engines, and social networking services; publish conditions including an alternative dispute settlement mechanism.

Section 4

Article 7 requirements (messaging interoperability and staged deadlines)

If a gatekeeper provides number-independent interpersonal communications services (NICS) listed in the designation decision, Article 7 requires interoperability with other providers upon request, free of charge, while preserving security (including end-to-end encryption where applicable).

Article 7 is explicitly staged over time: 1:1 messaging first, then groups, then voice/video calling. This affects protocol design, identity and consent, abuse prevention, and security assurance.

After listing: make end-to-end 1:1 text messaging interoperable; and sharing of images/voice messages/videos/other files in 1:1 communication (where the gatekeeper provides those features).
Within 2 years from designation: group text messaging and group-to-individual file sharing interoperability.
Within 4 years from designation: voice calls and video calls (1:1 and group-to-individual).
Publish a reference offer with technical details/terms; comply with reasonable interoperability requests within 3 months after receiving the request.

Section 5

Governance and reporting requirements (compliance function + Article 11 reporting)

The DMA requires gatekeepers to introduce an independent compliance function with compliance officers and direct reporting to the management body, plus sufficient authority, resources, and management accountability.

For reporting, the Commission's Article 11 compliance report template clarifies the minimum information expected: per CPS and per obligation, a compliance statement and an exhaustive explanation with supporting data, documents, and (often) demos.

Implement a DMA compliance function independent of operational functions; appoint a head of compliance with direct access to the management body.
Build an evidence library aligned to Article 11 reporting: product flows, consent screens, ranking logic explanations, APIs, security and integrity justifications, change logs per CPS, and machine-readable supporting data.
Plan adjacent post-designation deliverables as well: the detailed Article 11 compliance report within 6 months, at least annual updates, and the independently audited consumer-profiling description plus public overview that the DMA also requires after designation.
Set a recurring cadence: at least annual review of strategies and policies, annual compliance report updates, and evidence refreshes tied to product releases.

Primary sources