Technology

Digital Markets Act: An Overview of the New EU Regulation

Mike Harris
By:
insight featured image
Contents

The Digital Markets Act (DMA) is a landmark EU regulation that aims to level the playing field for all online platforms, regardless of their size. It also aims to strengthen data privacy and protection rules, further enhancing the rights of EU digital service consumers. Together with the Digital Services Act, the DMA forms the European Commission’s Digital Services Act package—a single set of rules designed to create a safer, more open digital environment by outlining what online platforms operating in the EU must and must not do.

What is the Digital Markets Act?

The DMA is a wide-reaching piece of EU legislation that defines new rules to better govern the digital markets and services, including social media. With the Digital Services Package, the European Commission (“Commission”) aims to ensure consumers are provided with safe products and their fundamental rights protected while boosting innovation and growth in the digital sector by increasing competition.

Because the DMA seeks to improve competition and fairness in digital markets, it imposes rules on large online platforms designated as “gatekeepers” by the Commission.  These rules include both obligations—must dos— and prohibitions—must not dos. These platforms will need to make significant changes to their operations to comply with the regulation.

They will have to offer users more choices, such as a choice of software or operating systems; provide users with the ability to uninstall preloaded software and apps on their browsers, phones and other devices; obtain user consent to cross-use data; ensure the basic functionality of their messaging services are interoperable; inform the Commission of acquisitions and mergers; avoid self-preferencing their own services; ensure fair access conditions for other businesses, including within app stores; and more.

Who does the DMA affect?

The regulation applies to large online platforms designated as gatekeepers by the Commission. The Commission can designate a company as a gatekeeper if it provides any of a pre-defined set of digital services—so-called core platform services (CPSs)— that have a significant effect on the EU’s internal market, act as an important gateway for business users to reach end users and have an entrenched and durable position in their operations (or will likely have such in the foreseeable future). 

When identifying gatekeepers, the Commission assesses CPSs in the following categories:

  • Online intermediation services (eg online marketplaces and app stores)
  • Search engines,
  • Social networking,
  • Video-sharing platforms,
  • Number-independent interpersonal communications services (ie messaging services),
  • Operating systems, 
  • Web browsers,
  • Virtual assistants,
  • Cloud computing services, and
  • Online advertising services provided by a company providing another CPS.

How does the European Commission determine gatekeeper status?

To determine whether a company is a gatekeeper, the Commission assesses the company and its CPSs against three defining criteria: the effect on the EU’s internal market, the control of an important gateway for business users to reach end users and the entrenched and durable position of their operations. The Commission has delineated quantitative threshold for each of these main three criteria, which are:

  1. A size that impacts the internal market: the company has had an annual turnover in the European Economic Area above €7.5 billion in each of the last three financial years and it provides a core platform service in at least three member states.
  2. Control of an important gateway for business users to reach end users: the company operates a CPS with more than 45 million monthly active end users established or located in the EU and more than 10,000 yearly active business users established in the EU.
  3. An entrenched and durable position: the company met the second criteria in each of the last three financial years.

Companies must notify the Commission if they meet the quantitative thresholds for any CPS. The Commission must then issue a decision about their gatekeeper status within 45 working days. If a company meets the above criteria, the Commission presumes it’s a gatekeeper.

Because of the criteria and accompanying thresholds, not all large digital companies will fall within scope of the legislation. In fact, not even all the digital companies considered ‘dominant’ under EU competition law will fall within this scope. Moreover, companies may not be gatekeepers for every digital service that they offer: the Commission must list the CPSs for which it considers the company a gatekeeper as part of the designation.

However, the DMA gives the Commission the power to conduct a market investigation into a company and designate it as a gatekeeper based on a qualitative assessment—even if it does not meet the quantitative thresholds. Furthermore, companies must continuously monitor the thresholds for all their CPSs and notify the Commission upon meeting any of the thresholds.

Which companies fall in scope of the DMA?

On 5 September 2023, the Commission designated its first six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft—as well as the CPSs for which they act as gatekeepers.

CPS category Gatekeeper CPSs
Intermediation
Alphabet
Google Maps, Google Play, Google Shopping
Amazon
Amazon Marketplace
Apple
App Store
Meta
Meta Marketplace
N-ICCS
Meta
WhatsApp, Messenger
Video sharing
Alphabet
YouTube
Search
Alphabet
Google Search
Social network
ByteDance
TikTok
Meta
Facebook, Instagram
Microsoft
LinkedIn
Ads
Alphabet
Google
Amazon
Amazon
Meta
Meta
Browser
Alphabet
Chrome
Apple
Safari
Operating system
Alphabet
Google Android
Apple
iOS
Microsoft
Windows PC OS

The Commission did not designate a gatekeeper of CPSs for virtual assistants or cloud computing services. It also determined that several CPSs that met the thresholds—Gmail, Outlook, Samsung Internet Browser and others—were not “important gateways”, so it did not designate the providers as gatekeepers for those services.

In April 2024, following a market investigation, the Commission concluded that Apple’s gatekeeper status extended to its iPadOS despite the operating system not meeting quantitative thresholds. The iPadOS operating system must be made compliant by 29 October 2024. 

In May 2024, the Commission designated Booking, the parent company of booking.com, as the seventh gatekeeper.

When does the regulation take effect?

The DMA entered into force on 1 November 2022 and became applicable on 2 May 2023. Within two months of that date, companies providing CPSs had to notify the Commission if they met the quantitative thresholds. 

After receiving a designation, gatekeepers have six months to comply with the required prohibitions and obligations. The six companies identified as gatekeepers in September 2023 had a compliance deadline of 7 March 2024. 

To ensure ongoing compliance, the DMA also mandates that gatekeepers undergo an independent audit each year. The gatekeeper must select an independent auditor from a list of candidates approved by the European Commission. The audit should assess the gatekeeper’s compliance with all relevant obligations, including data practices, transparency measures, business conduct and more. 

Who enforces the DMA and what are the penalties?

The Commission enforces the DMA; however, it anticipates working closely with national authorities, and national authorities can open investigations.  

Gatekeepers that fail to comply with the new rules face fines of up to 10% of their worldwide turnover and, in the case of repeat offenses, 20%. However, if necessary, the Commission can take further action, including forcing the offending company to offload assets, banning it from making further acquisitions within the EU or from operating within the EU entirely.

The Commission is taking enforcement and compliance deadlines seriously. Following the March 2024 deadline for the six gatekeepers designated in September, it opened non-compliance investigations against Alphabet, Apple and Meta. 

How does the DMA interact with anti-trust and privacy legislation?

The DMA has some overlap with existing competition, consumer and data protection laws. While EU competition law policy, such as existing infringement decisions and investigations, have influence the legislation, the DMA operates alongside rather than replaces existing EU competition rules. Likewise, the legislation does not interfere with national competition law, and both the Commission and national competition authorities can continue to conduct competition law investigations.

How Grant Thornton can help

At Grant Thornton, we understand the complexities of the DMA and can help your business navigate these new regulations. Our services include:

  • Assurance: Comprehensive assurance and attestation services for DMA compliance.
  • Compliance assessments: Evaluation of your current operations against DMA requirements.
  • Strategy development: Creation of customised compliance strategies to meet DMA standards.
  • Policy drafting: Development of clear and thorough policies for your team.