This comprehensive guide explains everything you need to know about the EU regulation in 2025, from gatekeeper designation criteria to compliance requirements that affect every business operating in European tech markets.

What Is the Digital Markets Act?

The platform regulation is the European Union's groundbreaking legislation designed to ensure fair competition in online markets by controlling the power of large tech platforms, known as "gatekeepers." Unlike traditional competition law that reacts to anti-competitive behavior after it occurs, this framework takes a proactive approach by establishing clear rules that prevent market abuse before it happens.

The legislation targets specific platforms that act as essential gateways between businesses and consumers—companies like Google, Apple, Meta, and Amazon that control critical tech infrastructure. These platforms must follow strict obligations designed to open their ecosystems to competitors and give users more control over their online experiences.

EU enforcement began on May 2, 2023, making it one of the world's first comprehensive frameworks for regulating platform power. The legislation applies globally to any company meeting the gatekeeper criteria, regardless of where they're headquartered, demonstrating the EU's commitment to technological sovereignty.

The ex-ante approach means gatekeepers must comply with obligations immediately upon designation, rather than waiting for lengthy investigations. This creates predictable rules that platforms can follow while ensuring swift market improvements for businesses and consumers.

The legislation works alongside other EU policies including the GDPR and Digital Services Act to create a comprehensive framework governing online markets, privacy rights, and content moderation across the European Union.

Why the DMA Was Introduced

Big Tech dominance had reached unprecedented levels by 2020, with a handful of companies controlling essential online infrastructure that millions of businesses depend on to reach customers. The European Commission identified market concentration that was stifling innovation, limiting consumer choice, and creating unfair competitive advantages.

Traditional competition enforcement proved inadequate for addressing digital market dynamics. Lengthy investigations that took years to complete couldn't keep pace with rapidly evolving technology markets where first-mover advantages and network effects create winner-take-all dynamics.

Platform control over market access enabled gatekeepers to set terms unilaterally, favor their own services over competitors, and extract increasing value from businesses that had no viable alternatives. Small and medium enterprises faced particular challenges competing against platform-owned services that benefited from preferential treatment.

Consumer lock-in effects prevented users from switching between services or platforms easily, reducing competitive pressure and limiting innovation incentives. Data portability restrictions, incompatible systems, and bundled services created artificial switching costs that maintained platform dominance.

Innovation stagnation occurred as gatekeepers acquired potential competitors, copied innovative features from smaller rivals, or used their market position to exclude threatening new entrants. The Commission recognized that dynamic competition required structural intervention rather than case-by-case enforcement.

European tech sovereignty concerns motivated policymakers to ensure that EU businesses and consumers weren't subject to uncontrolled platform power exercised by companies primarily accountable to non-EU shareholders and regulators.

This regulation represents the EU's response to these challenges, creating a framework that promotes contestable markets while preserving the benefits of platform innovation and scale economies.

Who Qualifies as a "Gatekeeper"?

Gatekeeper designation criteria establish precise quantitative thresholds that identify platforms with significant market power and entrenched positions in European digital markets. Companies meeting these criteria face immediate obligations designed to prevent abuse of their dominant position.

Financial thresholds require either €7.5 billion in annual EU turnover or €75 billion in global market capitalization over the last three financial years. This dual approach captures both established revenue-generating platforms and high-growth companies with significant market valuations.

User reach standards mandate at least 45 million monthly active end users in the EU and 10,000 yearly active business users. These metrics identify platforms with sufficient scale to influence market dynamics and affect competition between businesses seeking to reach consumers.

Market presence requirements include operating in at least three EU Member States and meeting all criteria for three consecutive years, demonstrating durability rather than temporary market success.

Current designated gatekeepers include seven companies across 23 core platform services as of 2025:

Google (Alphabet) leads with eight designated services: Search, YouTube, Android, Chrome, Google Maps, Google Play, Google Shopping, and Google Ads. This comprehensive coverage reflects Google's integrated ecosystem spanning search, mobile operating systems, app distribution, and digital advertising.

Meta Platforms operates four designated services covering Facebook, Instagram, WhatsApp, and Messenger. The social media giant's designation encompasses both advertising-supported platforms and messaging services, addressing concerns about data combination across services.

Apple controls four designated services including App Store, iOS, Safari, and iPadOS (added April 2024). Apple's designation focuses on mobile ecosystem control and app distribution gatekeeping that affects developer access to iOS users.

Amazon received designation for its Marketplace and Advertising services, reflecting its dual role as an e-commerce platform connecting sellers with buyers and a major digital advertising provider competing with Google and Meta.

Microsoft operates two designated services: Windows PC operating system and LinkedIn professional networking platform, spanning both traditional PC software dominance and social media market presence.

ByteDance achieved designation solely for TikTok, demonstrating that rapid growth and significant market influence can trigger gatekeeper status even for newer platforms.

Booking.com represents the most recent addition (May 2024) for online travel intermediation services, showing that gatekeeper designation extends beyond traditional Big Tech companies to dominant platforms in specific sectors.

Key DMA Obligations

Data Sharing Rules

Business user data access requires gatekeepers to provide free, real-time access to all data generated through business use of their platforms. This includes transaction data, customer interaction metrics, search query information, and performance analytics that businesses need to understand their platform presence and optimize their strategies.

Third-party data portability mandates that gatekeepers enable easy export of user data to competing services, reducing switching costs and platform lock-in effects. Users must receive their data in structured, commonly used formats that facilitate migration to alternative platforms.

Search engine data sharing requires gatekeepers operating search services to provide ranking data, crawling information, and search query analytics to competing search engines, enabling better competition in search markets.

Interoperability Requirements

Messaging platform connectivity mandates that designated messaging services enable communication with rival platforms according to specific timelines. End-to-end messaging and file sharing between individual users must be available immediately, while group messaging capabilities are required within two years, and voice/video calling functionality within four years.

Operating system openness requires gatekeepers to allow alternative app stores, enable side-loading of applications, and provide choice screens for default applications. Users must be able to uninstall pre-installed apps and easily switch between different service providers.

API access obligations mandate that gatekeepers provide technical interfaces enabling third-party services to interact with their platforms on fair, reasonable, and non-discriminatory terms.

Self-Preferencing Ban

Equal treatment requirements prohibit gatekeepers from ranking their own services higher than competitors in search results, app store listings, or marketplace recommendations. All services must compete on equal terms based on relevant quality and user preference factors.

Algorithm transparency obligations require gatekeepers to disclose ranking parameters and algorithmic decision-making processes that affect business visibility and success on their platforms.

Fair competition standards prevent gatekeepers from using their platform control to advantage their own products and services over competitors offering similar functionality.

User Data Portability

Real-time data access enables users to download their personal data continuously rather than waiting for periodic export opportunities. This includes profile information, content, connections, and activity history stored across gatekeeper services.

Standardized formats ensure that exported data works effectively with competing services, reducing technical barriers to platform switching and enabling multi-platform service usage.

Direct data transfer capabilities allow users to move their information directly between competing services without downloading and re-uploading data manually.

Messaging Platform Interoperability

Cross-platform communication requirements ensure that users of different messaging services can communicate seamlessly while maintaining security and privacy protections. End-to-end encryption must be preserved across platform boundaries.

Feature parity mandates that interoperability services provide functionality comparable to native platform features, preventing gatekeepers from degrading cross-platform experiences to discourage switching.

Restriction on Tracking Without Consent

Enhanced consent requirements prevent gatekeepers from combining user data across different services without explicit permission for each specific use case. Users must provide separate consent for advertising, analytics, and personalization purposes.

Granular privacy controls enable users to accept some data processing while declining others, such as allowing functional cookies while rejecting advertising tracking.

Consent withdrawal must be as easy as granting initial permission, with immediate effect across all gatekeeper services and no penalties for exercising privacy rights.

Timelines and Enforcement

DMA regulation timeline began with legislative adoption on March 24, 2022, followed by entry into force on November 1, 2022. The regulation became fully applicable on May 2, 2023, triggering immediate compliance obligations for companies meeting gatekeeper criteria.

Gatekeeper designation process concluded its first wave on September 6, 2023, with six companies designated across 22 core platform services. Additional designations occurred in April and May 2024, bringing the total to seven companies and 23 services.

Compliance deadlines require gatekeepers to submit detailed compliance reports within six months of designation, demonstrating how they've implemented required obligations through technical measures, business process changes, and user interface modifications.

EU Commission enforcement powers include comprehensive investigation authority, on-site inspections, information requests, and expert consultation to assess compliance effectiveness. The Commission can require interim measures during investigations and impose structural remedies for systematic non-compliance.

Ongoing monitoring involves regular compliance assessments, annual reporting requirements, and market investigations to identify emerging competitive concerns or additional gatekeepers requiring designation.

Implementation deadlines vary by obligation type, with some requirements effective immediately upon designation while others, particularly interoperability features, follow staged timelines extending up to four years for full implementation.

Penalties for Non-Compliance

DMA fines and penalties represent some of the most severe financial sanctions in global technology regulation. Initial violations can result in fines up to 10% of worldwide annual turnover, while repeated infringements escalate to 20% of global turnover—penalties that could exceed €20 billion for the largest platforms.

Periodic penalties of up to 5% of average daily turnover can be imposed for ongoing non-compliance, creating mounting financial pressure for immediate remediation. These daily penalties accumulate rapidly, making prolonged violation economically unsustainable.

Structural remedies represent the ultimate enforcement tool, enabling the Commission to require business divestiture or operational separation when systematic non-compliance threatens market competition. This includes forced separation of services, asset sales, or restrictions on merger and acquisition activity.

First enforcement actions in 2025 established important precedents. Apple paid €500 million for App Store steering violations, while Meta faced €200 million penalties for its "pay or consent" model that forced users to choose between data sharing and subscription fees.

Impact on Businesses Outside "Gatekeepers"

New partnership opportunities emerge as gatekeepers must open their platforms to competitors and third-party services. Alternative app stores, competing search engines, and rival messaging platforms gain access to previously closed ecosystems, creating distribution opportunities for businesses seeking gatekeeper alternatives.

Ad tech ecosystem changes include enhanced data portability, improved consent management, and reduced platform dependency that enables more sophisticated advertising strategies. Businesses can leverage multiple platforms more effectively while maintaining direct customer relationships.

SMB benefits from reduced platform dependency include better negotiating positions with gatekeepers, access to alternative distribution channels, and enhanced data insights through mandatory business user data access provisions. Small businesses gain tools to compete more effectively with platform-native services.

Compliance spillover effects create opportunities for businesses to differentiate themselves through superior privacy practices, data portability, and interoperability features that exceed minimum DMA requirements. Companies can position themselves as privacy-forward alternatives to gatekeeper services.

Market access improvements enable businesses to reach customers through multiple channels without facing platform retaliation for diversification strategies. Anti-steering prohibitions protect business freedom to communicate pricing information and alternative purchasing options.

Data strategy advantages allow businesses to build more comprehensive customer insights by combining data from multiple platforms with their own first-party data collection, reducing dependence on gatekeeper analytics and advertising optimization.

Privacy and Data Protection Under the DMA

GDPR interplay creates complementary privacy protections where the DMA's market opening measures must comply with existing European data protection standards. Data portability rights under DMA cannot override GDPR consent requirements or data minimization principles.

Cross-platform tracking restrictions limit gatekeepers' ability to combine user data across different services without explicit consent for each specific purpose. Users maintain granular control over how their information is processed for advertising, analytics, and personalization.

Enhanced consent requirements prevent gatekeepers from bundling data processing consent with service access, ensuring that users can enjoy platform services while limiting data sharing for non-essential purposes.

Privacy-by-design obligations require that DMA compliance measures incorporate data protection principles from the outset rather than treating privacy as an afterthought. Interoperability features must maintain end-to-end encryption and user privacy controls.

Data controller responsibilities ensure that gatekeepers remain accountable for privacy compliance even when sharing data with competitors or enabling third-party platform access. Clear data processing agreements and user consent mechanisms must govern all data sharing activities.

User control enhancements provide more granular privacy choices, easier consent withdrawal, and comprehensive data portability that enables users to maintain privacy preferences across different service providers.

The intersection of DMA market opening and GDPR privacy protection creates a framework where competition and privacy rights reinforce each other rather than creating conflicting obligations.

How to Prepare for DMA Compliance

The Digital Markets Act is here—and your existing privacy governance foundation provides the perfect starting point for DMA compliance. If you've invested in GDPR compliance infrastructure, you already have much of what's needed to meet DMA requirements without reinventing your entire compliance strategy.

Internal audits should assess your organization's relationship with designated gatekeepers, identifying platform dependencies, data sharing arrangements, and competitive restrictions that DMA compliance might address. Document current platform integration points and business impact scenarios.

DMA compliance builds on GDPR foundations through structured processes that address transparency, user control, fairness, and accountability. The core obligations focus on how data is collected, combined, and used; user control over personal information including access, portability, and deletion; fairness in platform ranking and interoperability; and accountability through documentation and regulatory reporting.

The Governance Advantage with Secure Privacy

At Secure Privacy, we've seen firsthand that DMA compliance is a governance challenge as much as it is a legal one. That's why our privacy governance platform can be a DMA game-changer for organizations navigating these complex new requirements.

Our core modules help you operationalize DMA requirements through systematic processes that build on your existing privacy infrastructure:

Calendar & Tasks – Stay ahead of DMA reporting cycles, regulatory deadlines, and recurring compliance reviews. Track gatekeeper designation updates, enforcement actions, and implementation timelines that affect your business operations and competitive strategy.

Risks – Identify and mitigate DMA-specific risks like inappropriate data combination or self-preferencing practices before they become costly enforcement issues. Our risk assessment framework helps you evaluate platform dependencies and competitive restrictions proactively.

DSARs – Extend your existing GDPR request workflows to handle DMA-related access and portability requests efficiently. Users exercising enhanced data rights under DMA receive the same systematic response processes that demonstrate regulatory compliance and build customer trust.

Process Register & Systems – Maintain an up-to-date map of your data processing activities and the systems involved—crucial evidence for proving DMA compliance during regulatory investigations. Clear documentation demonstrates transparency and accountability to EU authorities.

Impact Assessment – Run Data Protection Impact Assessments (DPIAs) and tailor them for DMA-related changes, such as new interoperability features, enhanced data sharing, or platform integration modifications. Assess compliance requirements before implementation rather than after problems arise.

Vendors – Ensure third-party partners align with your DMA compliance commitments through systematic vendor management and oversight. Platform relationships, data processors, and technology providers must understand and support your DMA obligations through appropriate contracts.

Documents – Keep all DMA-related policies, evidence, and regulatory correspondence in one secure, organized location. Centralized documentation enables rapid response to regulatory inquiries while demonstrating systematic compliance approaches that satisfy EU Commission requirements.

Technical Infrastructure Preparation

Data portability capabilities should align with both GDPR individual rights and DMA business user data access requirements. Enhanced export functionality serves multiple compliance purposes while improving customer experience and competitive positioning.

Interoperability protocols and privacy controls reflect DMA-driven market changes while maintaining security and privacy protections. Consider how gatekeeper compliance obligations create opportunities for enhanced platform integration and customer insights.

Strategic planning incorporates DMA compliance benefits into competitive strategy, customer acquisition planning, and technology investment decisions. Focus on maximizing opportunities rather than just managing compliance risks, as DMA implementation creates competitive advantages for prepared businesses.

Frequently Asked Questions

Does the DMA apply to my business if I'm not a gatekeeper?

The DMA primarily regulates designated gatekeepers, but it creates significant opportunities for other businesses. You benefit from enhanced data access, reduced platform restrictions, and new competitive opportunities without facing direct DMA obligations.

How does DMA compliance affect advertising and marketing?

DMA compliance enhances advertising flexibility by reducing platform restrictions, improving data portability, and enabling multi-platform strategies. Businesses gain better insights through mandatory data access and reduced dependency on gatekeeper analytics.

What's the difference between DMA and GDPR compliance?

GDPR focuses on privacy rights and data protection, while DMA targets market competition and platform power. Both regulations complement each other, with DMA market opening measures required to maintain GDPR privacy standards.

Can gatekeepers charge fees for DMA compliance features?

Gatekeepers must provide many DMA-required features free of charge, particularly data portability and basic interoperability. However, they may charge reasonable fees for enhanced services that exceed minimum compliance requirements.

How quickly will DMA changes affect digital markets?

Many DMA benefits are available immediately, including enhanced data access and reduced platform restrictions. More complex features like messaging interoperability follow staged timelines extending up to four years for full implementation.

Navigate DMA Compliance with Expert Support

The Digital Markets Act fundamentally transforms European digital markets, creating unprecedented opportunities for businesses while ensuring fair competition and user choice. Understanding DMA implications enables organizations to capitalize on market opening while maintaining regulatory compliance.

Ready to assess your DMA compliance readiness? Schedule a consultation with Secure Privacy's regulatory experts who specialize in EU digital competition law. We'll evaluate your platform dependencies, identify compliance opportunities, and develop strategies that leverage DMA benefits for competitive advantage.

Need ongoing DMA monitoring? Discover our comprehensive regulatory tracking services that monitor enforcement developments, analyze gatekeeper compliance changes, and provide strategic guidance for navigating evolving digital competition requirements.

Looking for DMA compliance integration? Download our complete DMA compliance checklist that covers internal audits, vendor assessments, technical preparations, and strategic planning frameworks for maximizing DMA opportunities.

The future of digital competition depends on understanding and leveraging the market changes that comprehensive platform regulation creates. Let Secure Privacy help you navigate this transformation while building sustainable competitive advantages in Europe's evolving digital marketplace.