Receive the latest insights, news and more direct to your inbox.
The Digital Markets Act (DMA) is a landmark EU regulation that aims to level the playing field for all online platforms, regardless of their size. It also aims to strengthen data privacy and protection rules, further enhancing the rights of EU digital service consumers. Together with the Digital Services Act, the DMA forms the European Commission’s Digital Services Act package—a single set of rules designed to create a safer, more open digital environment by outlining what online platforms operating in the EU must and must not do.
The DMA is a wide-reaching piece of EU legislation that defines new rules to better govern the digital markets and services, including social media. With the Digital Services Package, the European Commission (“Commission”) aims to ensure consumers are provided with safe products and their fundamental rights protected while boosting innovation and growth in the digital sector by increasing competition.
Because the DMA seeks to improve competition and fairness in digital markets, it imposes rules on large online platforms designated as “gatekeepers” by the Commission. These rules include both obligations—must dos— and prohibitions—must not dos. These platforms will need to make significant changes to their operations to comply with the regulation.
They will have to offer users more choices, such as a choice of software or operating systems; provide users with the ability to uninstall preloaded software and apps on their browsers, phones and other devices; obtain user consent to cross-use data; ensure the basic functionality of their messaging services are interoperable; inform the Commission of acquisitions and mergers; avoid self-preferencing their own services; ensure fair access conditions for other businesses, including within app stores; and more.
The regulation applies to large online platforms designated as gatekeepers by the Commission. The Commission can designate a company as a gatekeeper if it provides any of a pre-defined set of digital services—so-called core platform services (CPSs)— that have a significant effect on the EU’s internal market, act as an important gateway for business users to reach end users and have an entrenched and durable position in their operations (or will likely have such in the foreseeable future).
When identifying gatekeepers, the Commission assesses CPSs in the following categories:
To determine whether a company is a gatekeeper, the Commission assesses the company and its CPSs against three defining criteria: the effect on the EU’s internal market, the control of an important gateway for business users to reach end users and the entrenched and durable position of their operations. The Commission has delineated quantitative threshold for each of these main three criteria, which are:
Companies must notify the Commission if they meet the quantitative thresholds for any CPS. The Commission must then issue a decision about their gatekeeper status within 45 working days. If a company meets the above criteria, the Commission presumes it’s a gatekeeper.
Because of the criteria and accompanying thresholds, not all large digital companies will fall within scope of the legislation. In fact, not even all the digital companies considered ‘dominant’ under EU competition law will fall within this scope. Moreover, companies may not be gatekeepers for every digital service that they offer: the Commission must list the CPSs for which it considers the company a gatekeeper as part of the designation.
However, the DMA gives the Commission the power to conduct a market investigation into a company and designate it as a gatekeeper based on a qualitative assessment—even if it does not meet the quantitative thresholds. Furthermore, companies must continuously monitor the thresholds for all their CPSs and notify the Commission upon meeting any of the thresholds.
On 5 September 2023, the Commission designated its first six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft—as well as the CPSs for which they act as gatekeepers.
| CPS category | Gatekeeper | CPSs |
|---|---|---|
|
Intermediation
|
Alphabet
|
Google Maps, Google Play, Google Shopping
|
|
Amazon
|
Amazon Marketplace
|
|
|
Apple
|
App Store
|
|
|
Meta
|
Meta Marketplace
|
|
|
N-ICCS
|
Meta
|
WhatsApp, Messenger
|
|
Video sharing
|
Alphabet
|
YouTube
|
|
Search
|
Alphabet
|
Google Search
|
|
Social network
|
ByteDance
|
TikTok
|
|
Meta
|
Facebook, Instagram
|
|
|
Microsoft
|
LinkedIn
|
|
|
Ads
|
Alphabet
|
Google
|
|
Amazon
|
Amazon
|
|
|
Meta
|
Meta
|
|
|
Browser
|
Alphabet
|
Chrome
|
|
Apple
|
Safari
|
|
|
Operating system
|
Alphabet
|
Google Android
|
|
Apple
|
iOS
|
|
|
Microsoft
|
Windows PC OS
|
The Commission did not designate a gatekeeper of CPSs for virtual assistants or cloud computing services. It also determined that several CPSs that met the thresholds—Gmail, Outlook, Samsung Internet Browser and others—were not “important gateways”, so it did not designate the providers as gatekeepers for those services.
In April 2024, following a market investigation, the Commission concluded that Apple’s gatekeeper status extended to its iPadOS despite the operating system not meeting quantitative thresholds. The iPadOS operating system must be made compliant by 29 October 2024.
In May 2024, the Commission designated Booking, the parent company of booking.com, as the seventh gatekeeper.
The DMA entered into force on 1 November 2022 and became applicable on 2 May 2023. Within two months of that date, companies providing CPSs had to notify the Commission if they met the quantitative thresholds.
After receiving a designation, gatekeepers have six months to comply with the required prohibitions and obligations. The six companies identified as gatekeepers in September 2023 had a compliance deadline of 7 March 2024.
To ensure ongoing compliance, the DMA also mandates that gatekeepers undergo an independent audit each year. The gatekeeper must select an independent auditor from a list of candidates approved by the European Commission. The audit should assess the gatekeeper’s compliance with all relevant obligations, including data practices, transparency measures, business conduct and more.
The Commission enforces the DMA; however, it anticipates working closely with national authorities, and national authorities can open investigations.
Gatekeepers that fail to comply with the new rules face fines of up to 10% of their worldwide turnover and, in the case of repeat offenses, 20%. However, if necessary, the Commission can take further action, including forcing the offending company to offload assets, banning it from making further acquisitions within the EU or from operating within the EU entirely.
The Commission is taking enforcement and compliance deadlines seriously. Following the March 2024 deadline for the six gatekeepers designated in September, it opened non-compliance investigations against Alphabet, Apple and Meta.
The DMA has some overlap with existing competition, consumer and data protection laws. While EU competition law policy, such as existing infringement decisions and investigations, have influence the legislation, the DMA operates alongside rather than replaces existing EU competition rules. Likewise, the legislation does not interfere with national competition law, and both the Commission and national competition authorities can continue to conduct competition law investigations.
At Grant Thornton, we understand the complexities of the DMA and can help your business navigate these new regulations. Our services include:
