A grounded guide to DMA requirements for designated gatekeepers, organized around core platform service scope, Articles 5, 6 and 7 duties, Article 11 reporting, anti-circumvention, evidence, remedies, and fines.
Use it to build a requirements register that separates gatekeeper designation facts, service-by-service obligations, business-user and end-user rights, technical implementation evidence, and Commission-facing reporting.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Digital Markets Act does not apply as a general checklist for every digital service. Its operational requirements attach to undertakings designated as gatekeepers and to the core platform services listed in the Commission's designation decision. A useful DMA requirements record therefore starts with Article 3 designation and the listed service, then maps the applicable Article 5, 6 and 7 duties to product controls, business-user processes, end-user choice points, interoperability interfaces, data-access workflows, Article 11 reporting evidence, and anti-circumvention checks.
Article 3 requires three designation conditions: significant impact on the internal market, a core platform service that is an important gateway for business users to reach end users, and an entrenched and durable position or a foreseeable such position. The quantitative presumption uses Union turnover or market value, monthly active end users, yearly active business users, Member State coverage, and a three-year durability test, but the Commission can also designate after a qualitative market investigation.
For implementation, treat the Commission designation decision as the boundary document. Article 3(9) requires the Commission to list the relevant core platform services in the designation decision, and Article 3(10) ties the Article 5, 6 and 7 compliance clock to listed services. Do not apply every DMA duty to every product in a group; map each obligation to the listed core platform service and to any supporting or connected service that the specific obligation covers.
Article 5 obligations should be converted into concrete product and commercial controls for each listed core platform service. The highest-risk clusters are personal-data combination and cross-use, anti-steering restrictions, business-user communications with acquired end users, access to content or subscriptions bought outside the gatekeeper service, complaint rights, tying of identification, browser engine or payment services, cross-registration requirements, and advertising transparency.
The requirement record should name the prohibited conduct, the affected journey, the control that prevents it, and the evidence that the control is live. For consent-dependent data processing, evidence should show the specific choice presented to end users, the consent status logic, withdrawal handling, and the guardrail that prevents repeated same-purpose consent requests more than once within one year after refusal or withdrawal.
Article 6 obligations often require engineering evidence because they address how the gatekeeper service works. The requirements register should cover non-public business-user data use, uninstall and default-setting controls, third-party app and app-store installation, ranking non-discrimination, switching and multi-homing, interoperability with operating system, virtual assistant, hardware or software features, ad measurement access, end-user data portability, business-user data access, search data access, fair access conditions, and termination conditions.
Article 6(10) is central for business-user data access. It requires effective, high-quality, continuous and real-time access, free of charge, to aggregated and non-aggregated data provided or generated in the relevant core platform service or supporting services by business users and end users engaging with those business users' products or services. For personal data, access is limited to data directly connected with the end user's use of the business user's offer and requires the end user's opt-in consent.
Article 7 is narrower: it applies where the gatekeeper provides number-independent interpersonal communications services listed in the designation decision. The gatekeeper must make basic functionalities interoperable upon request and free of charge, preserve the level of security including end-to-end encryption where applicable, publish and update a reference offer, comply with reasonable interoperability requests within three months, and collect or exchange only personal data strictly necessary for effective interoperability.
Article 11 requires a report to the Commission within six months after designation describing, in a detailed and transparent manner, the measures implemented to ensure compliance with Articles 5, 6 and 7. The gatekeeper must also publish and provide a non-confidential summary within the same deadline, update the report and summary at least annually, and the Commission makes a link to the non-confidential summary available on its website.
The Commission's compliance report template makes the evidence expectation more concrete. It asks for separate and standalone annexes for each designated core platform service and each applicable obligation, a compliance statement, an exhaustive explanation with supporting data and internal documents, the pre-implementation situation, implementation date, product, service and device scope, geographic scope, technical and engineering changes, customer-experience changes, remuneration or terms changes, consultations, external consultant involvement, and underlying raw data readiness.
Article 13 anti-circumvention should be a standing review gate for product, contract, pricing, interface, and technical changes. It prohibits splitting services to avoid Article 3 thresholds, behavior that undermines effective compliance with Articles 5, 6 and 7, making required consent harder for business users than for the gatekeeper's own services, degrading conditions or quality for users who exercise DMA rights, making those rights unduly difficult, or using interface design to subvert autonomy, decision-making, or free choice.
No. The Commission template states that a request for specification under Article 8(3), or specification discussions, does not free the gatekeeper from submitting a compliance report covering the obligations subject to that request or process.
Keep the Article 6(10) request, business-user authorization, requested data categories, delivery method, latency and availability checks, whether the data is aggregated or non-aggregated, any personal-data consent record, and the reason for any limitation or refusal.
The requirements register should not treat penalties as the only enforcement risk. The DMA gives the Commission information-request, interview, inspection, interim-measure, commitment, non-compliance, fine, periodic-penalty, and market-investigation tools. Article 29 non-compliance decisions can order the gatekeeper to cease and desist and explain how it plans to comply.
For systematic non-compliance, Article 18 allows proportionate and necessary behavioral or structural remedies after a market investigation. The regulation treats systematic non-compliance as at least three Article 29 non-compliance decisions against a gatekeeper in relation to any of its core platform services within the eight years before the market-investigation opening decision. A remedy can include, for a limited period, a prohibition on entering into certain concentrations involving core platform services, other digital-sector services, or services enabling data collection.
Article 30 allows fines up to 10 percent of total worldwide turnover in the preceding financial year for intentional or negligent failure to comply with Articles 5, 6 or 7, Commission-specified Article 8 measures, Article 18 remedies, interim measures, or binding commitments. The cap can rise to 20 percent for the same or a similar infringement of an Article 5, 6 or 7 obligation in relation to the same core platform service after a non-compliance decision in the preceding eight years. Article 31 allows periodic penalty payments up to 5 percent of average daily worldwide turnover in the preceding financial year per day to compel specified compliance steps.
Sorena can help turn DMA gatekeeper obligations into cited requirement rows, owner assignments, Article 11 evidence requests, anti-circumvention checks, and reusable review steps for product and compliance teams.
Ask source-linked questions about DMA scope, Articles 5, 6 and 7 duties, Article 11 reporting, interoperability, business-user data access, and enforcement exposure.
Review your DMA requirements register, source gaps, evidence model, and service-by-service implementation plan with Sorena.
"23 core platform services"
"free and effective interoperability"
"Practical information"
"Resources for businesses"
"Fines"