The European DMA forces large digital platforms – gatekeepers — to make some hard adjustments. Although gatekeeper engineers and lawyers have spent many hours analyzing the DMA’s obligations, opponents deride their much-awaited solutions as being too little, too slow, and violating, if not the requirements, at least the law’s spirit. Among other violations, critics accuse gatekeepers of “security washing” by claiming security concerns and maintaining high fees.
Who is right? It’s hard to tell because the line between what the DMA prohibits and what it allows remains unclear. The new tech law’s blank spots produce uncertainty for companies, competitors, and consumers. They leave regulators in the uncomfortable position of deciding how search engines, app stores, or other technology services should be run.
Part of the problem stems from the EU’s unwieldy legislative process. When the European Commission first proposed the DMA in February 2020, the core two articles (Articles 5 and 6) contained 23 lengthy obligations for gatekeepers. The obligations were straightforward. The European Parliament increased them, adding vague and unclear language.
The result is a difficult-to-enforce law. Among the unanswered questions are how gatekeepers should be allowed to define security for services, what is a reasonable and non-discriminatory price for these services, and even how to make the new obligations workable.
- Interoperability: As negotiations for the DMA climaxed, European parliamentarians insisted on forcing gatekeeper messaging services to become interoperable. In practice, this meant obliging Meta’s WhatsApp and Messenger to accept calls from Signal, Skype, and other messaging services.
European Commission officials shook their heads in bewilderment. They had no idea how to meet this requirement. Internet-based messaging services don’t resemble traditional telephones where networks are built to connect to each other. Nor is it clear that the new tech regulation is needed — messaging services are free of charge and many consumers carry multiple ones on their mobile phones.
Frantic negotiations have ensued. The Commission has queried various messaging services to understand the technology. Meta has come up with a potential solution. At this date, though, it remains what if any rival messaging services will agree to interoperate.
- Security and Sideloading: Apple and Google control access to almost all the world’s mobile phones through their IOS and Android software. Both run app stores. Under the DMA’s original version of Article 6(4), the initial requirement was straightforward: users should be allowed to “sideload” or download from new app stores.
In the Act’s final version, the text added notions of “security” and “privacy” as a reason for gatekeepers to deny or restrict sideloading. The final DMA allows “proportionate measures to ensure that third-party software applications or software application stores that do not endanger the integrity of the hardware or operating systems.”
Apple and Google interpret this clause to allow them to vet apps regardless of their distribution channel and to impose policies to ensure security, privacy, and device integrity. Apple believes its strong vetting procedure — which it labels as “notarization”, and which includes human review — differentiates its app store from Google’s. Third-party app marketplaces are presented as an alternative to sideloading.
Is such an interpretation compliant? A definitive answer is hard to judge. It could be seen as way too restrictive, limiting competition from new app stores and direct downloads from websites. However, the text of Article 6(4) seems to give room for such an extensive interpretation.
- Fees: Under the DMA, gatekeepers are allowed to provide their services at a market price reflecting fair, reasonable, and non-discriminatory terms of service — FRAND.
Regulators usually run away from setting prices. Under the DMA, the attention has been on both Apple and Google’s app store fees. Both have released complicated compliance changes, decreasing fees in some situations, for smaller developers, while keeping the prices similar, or, perhaps, even increasing the fees for other app developers.
FRAND should never have been included in the DMA. Parliamentarians introduced it, without conducting an impact assessment. From the telecom sector, it is one of the most litigated terms in modern times. Neither the gatekeepers nor anyone else knows what the right level of pricing is for app stores, and terms to rank, query, click, and view data.
The proposed DMA-compliant gatekeeper fees may reflect FRAND. Or they may not. FRAND pricing models or terms are notoriously difficult to pin down. FRAND has also been introduced in the EU’s Data Act, which requires large tech companies to share their data.
Given the vagueness of the DMA and the lack of experience to become DMA compliant, it is natural that gatekeepers are being prudent and protective of their technology business models. The result is legal uncertainty. European Commission enforcers, and in the end the EU courts, will need to provide answers to the DMA’s ambiguous, unanswered questions.
Björn Lundqvist is a Non-resident Senior Fellow with the Center for European Policy Analysis. He is Professor of Law in the Law Department of Stockholm University and the Head of the EU Law Research Group, Director of the European Law Institute, and Director of Ascola Nordic.
Tech is bracing for a regulatory reckoning. On March 7, the largest online platforms will roll out changes mandated by the Digital Markets Act, the most sweeping tech legislation since the European Union passed the GDPR privacy law in 2018. In this special series, Bandwidth looks at the DMA legislation, its motivation, its implications, and its challenges.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
2025 CEPA Forum Tech & Security Conference
Explore the latest from the conference.
