Digital Markets Act Guide

Assess your DMA obligations Use the Verdaio DMA tool to understand gatekeeper thresholds and compliance requirements.

DMA Assessment Tool →

What is it?

The Digital Markets Act

The Digital Markets Act (DMA), Regulation (EU) 2022/1925, entered into application on 2 May 2023 and represents the EU's most significant intervention in digital markets since the General Data Protection Regulation. Its stated objective is to ensure that digital markets in the EU are contestable and fair — preventing large digital platforms from using their gatekeeping power to foreclose competitors, harm business users, or lock in end users.

Unlike competition law, which addresses harm after it occurs and requires complex case-by-case analysis, the DMA takes a regulatory, ex-ante approach: designated gatekeepers must comply with a fixed set of obligations proactively, before any specific harm occurs. The European Commission is the sole enforcer — national competition authorities do not have DMA enforcement powers, though they can request the Commission to investigate.

The DMA applies to companies that provide core platform services and meet specific quantitative thresholds that indicate significant impact and durable market position. Once designated as a gatekeeper, a company has six months to comply with all DMA obligations — a tight timeline given the structural changes many obligations require. Gatekeepers must also self-assess annually whether they meet the thresholds for any new core platform services they have launched.

The DMA is currently enforced against six designated gatekeepers: Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta, and Microsoft. Together, these companies operate more than 20 individually designated core platform services, each subject to the full set of DMA obligations. Additional companies could be designated if they meet the threshold criteria in the future.

Who does it apply to?

Gatekeeper thresholds

A company is presumed to be a gatekeeper if it provides a core platform service and meets all three of the following quantitative criteria for the past three financial years:

Criterion	Threshold	Rationale
EU turnover or market capitalisation	Annual EU turnover ≥€7.5B OR market capitalisation ≥€75B	Indicates significant impact on the EU internal market
Monthly active end users	≥45 million per month in the EU	Indicates a significant scale of interaction with users
Annual active business users	≥10,000 per year in the EU	Indicates significant dependencies for business users

These are presumptive thresholds — the Commission can designate a company that does not meet the quantitative criteria if it determines the company has a significant impact on the internal market, provides a gateway for business users to reach end users, and enjoys an entrenched and durable position. Conversely, a company meeting the thresholds can rebut the presumption by demonstrating it does not satisfy the qualitative conditions.

Core platform services subject to DMA designation include: online search engines, online social networking services, video sharing platforms, number-independent interpersonal communication services (messaging apps), operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services provided by companies operating other listed services.

Current gatekeepers

Designated companies & their services

As of early 2026, six companies have been designated as gatekeepers under the DMA:

Alphabet (Google)

Amazon

Apple

ByteDance (TikTok)

What gatekeepers must do — and must not do

✓ Obligations (must do)

Allow business users to offer the same products/services at different prices on other platforms (anti-steering prohibition reversal)
Provide advertisers and publishers with access to performance measurement tools and aggregated data
Allow end users to uninstall pre-installed software and apps
Ensure interoperability for third-party messaging services (Art. 7)
Provide data portability tools for end users and business users
Allow third-party app stores and sideloading on operating systems
Give business users access to data they generate on the platform
Notify the Commission of all intended concentrations involving other providers of digital services

✗ Prohibitions (must not do)

Self-preference: rank own products/services more favourably than third parties
Use non-public data from business users to compete with them
Default installation: require app developers to use the gatekeeper's own payment system as a condition of access
Cross-consent: combine personal data from different services without separate, specific consent
Prevent business users from communicating with users outside the platform
Prevent end users from switching operating systems or uninstalling pre-installed apps
Require business users to use, offer, or interoperate with other services of the gatekeeper as a condition of access

Core obligations summary

What every gatekeeper must implement

→
Compliance function — designate one or more compliance officers responsible for monitoring DMA obligations, with direct reporting lines to senior management and the right to interact directly with the Commission.
→
Annual compliance report — submit an independently audited compliance report to the Commission within six months of each designation, and annually thereafter, documenting how each obligation has been implemented.
→
Interoperability APIs — provide documented, effective interoperability access for third-party communication services and other designated services, allowing competing products to connect to the gatekeeper's platform.
→
Merger notification — inform the Commission of all intended acquisitions of any company that provides a digital service or enables the collection of data, regardless of whether the transaction meets standard EU merger control thresholds.
→
Prohibition compliance — immediately cease any practices prohibited under Arts. 5–7, and implement structural and technical measures to prevent their recurrence, across all designated core platform services.

◈ Premium Deep-Dive

Full obligations breakdown, enforcement, interoperability requirements & compliance checklist

Everything you need to navigate DMA obligations in practice.

Full Dos and Don'ts by Obligation Type

Data Access and Portability (Art. 6)

Gatekeepers must provide business users and end users with effective data portability tools, free of charge. For search advertising, gatekeepers must provide advertisers with real-time access to performance data, targeting criteria used, and aggregated data across all advertisers. Business users are entitled to access data generated through their use of the gatekeeper's platform — including transaction data, user interaction data, and performance metrics — in real time and in machine-readable format.

Interoperability (Art. 7)

The DMA's interoperability obligation is particularly significant for messaging and social media services. Gatekeepers must ensure interoperability of their services with third-party providers. For messaging specifically, third-party providers can request interconnection allowing their users to exchange messages and make calls with gatekeeper users. The obligation is phased: one-to-one messaging must be interoperable within 3 months of a request; group messaging within 2 years; full audio/video calls within 4 years.

App Store Obligations

Gatekeepers operating operating systems and app stores must allow third-party app stores to be installed and allow sideloading of apps not available in the gatekeeper's store. They must allow apps to use alternative payment systems for digital transactions. They cannot require the gatekeeper's own payment system as a condition of distribution. Apple's compliance programme following initial DMA enforcement has been the subject of significant Commission scrutiny.

Could Your Platform Become a Gatekeeper?

The DMA requires companies that provide core platform services and believe they are approaching the quantitative thresholds to notify the Commission. The notification threshold is: annual EU turnover ≥€7.5B (or market capitalisation ≥€75B), 45M+ monthly active EU end users, and 10,000+ annual active EU business users — all three criteria for the same service.

Companies that believe they do not meet the thresholds but are subject to a Commission investigation have the right to rebut the presumption of gatekeeper status by demonstrating — with verifiable evidence — that they do not satisfy the qualitative conditions (significant impact, gateway role, entrenched position) despite meeting the quantitative ones. This rebuttal process has a strict 45-working-day deadline once a Commission investigation is opened.

Enforcement: Commission Investigations and Interim Measures

The European Commission has exclusive enforcement authority under the DMA. It can: open market investigations to assess whether a company should be designated; investigate non-compliance with specific obligations; impose interim measures to prevent serious and irreparable harm to competition; and accept behavioural or structural commitments from gatekeepers. The Commission has already opened non-compliance investigations against Alphabet, Apple, Meta, and others within months of the DMA becoming applicable.

Penalty Structure

DMA penalties are among the highest in EU regulation:

Non-compliance with gatekeeper obligations: up to 10% of global annual turnover
Repeat infringements within 8 years: up to 20% of global annual turnover
Systematic non-compliance (three non-compliances in 8 years): structural remedies, including divestiture of business units and temporary prohibition of acquisitions
Periodic penalty payments for ongoing non-compliance: up to 5% of average daily global turnover
Failure to notify intended concentrations: up to 1% of global annual turnover

Compliance Checklist

Assess whether any of your services meet the DMA gatekeeper thresholds (€7.5B EU turnover / €75B market cap, 45M monthly active users, 10,000 annual business users)

If thresholds are approaching, notify the European Commission proactively — failure to notify is itself a violation

Conduct a legal assessment of all current practices against Arts. 5–7 prohibited and required behaviours — identify any practices that must change immediately upon designation

Designate a Chief Compliance Officer or compliance team responsible for DMA obligations, with appropriate seniority and resources

Develop technical implementations for all mandatory interoperability APIs, beginning with messaging interoperability (3-month deadline from first request)

Build data portability infrastructure enabling business users to access real-time performance data and transaction data in machine-readable format

Revise advertising systems to provide advertisers and publishers with transparency over targeting criteria and performance measurement

Implement anti-steering reversal — allow business users to offer lower prices on third-party platforms without restrictions

Prepare and submit the annual compliance report (independently audited) within the required deadline after designation

Establish a merger notification process for all intended acquisitions involving digital services companies, regardless of EU merger control thresholds

How to Use the Verdaio DMA Tool

The Verdaio DMA assessment tool helps digital platform companies assess their gatekeeper status risk, understand which specific obligations would apply to their services, and build a compliance readiness roadmap. The tool guides you through the quantitative threshold analysis, qualitative gatekeeper conditions, and maps your specific services against the DMA's obligations and prohibitions.