The architectural reality of mobile operating systems creates an unavoidable tension between open access and secure design, complicating the implementation of the DMA’s interoperability mandate. That need not be the case. 

To conclude the Europe’s DMA article series, I offer a set of recommendations for the secure implementation of Article 6(7).  

  • Interpret “effective interoperability” in terms of outcomes, not privileges: The European Commission should clarify that Article 6(7) guarantees equivalent functional access for third parties but does not require identical internal entitlements to OS-private or kernel-level interfaces. For example, similar outcomes can be achieved using secured and scoped APIs for access to virtual assistant, hardware, or software features. 
  • Establish a tiered access model for interoperability features: Gatekeepers should be required to implement a three-tier risk model (low, moderate, and high-risk) for new interfaces, with escalating obligations for each type of interface. This operationalizes Article 6(7)’s security safeguard in a predictable way. Low-risk interfaces, such as those without persistent privileges, could be presumed allowable to all registered developers. Access to security-sensitive features or hardware should be contingent on additional controls for developers who seek to access these features, data, or APIs.
  • Require security impact assessments before new interoperability features are implemented: Policymakers should mandate a formal security impact assessment (SIA) for each Article 6(7) interface before it is activated, including an assessment of whether the interface poses low, moderate, or high risk to user data and security. These assessments should include potential unintended consequences on the security and privacy of users, threat modeling, and supply-chain risk mapping.
  • Preserve end-to-end encryption and data minimization by default: Interoperability implementations must not weaken end-to-end encryption or expand data collection beyond what is strictly necessary. Each interoperability API should include a data-minimization statement and a privacy threat model.  
Get the Latest
Sign up to receive regular Bandwidth emails and stay informed about CEPA's work.

  • Align DMA enforcement with evolving cybersecurity standards and timelines: The Commission should align interoperability guidance with established EU cybersecurity frameworks (e.g., NIS2, ENISA risk models) and reconcile compliance timelines with technical feasibility. The Commission should work in an interagency fashion with its cybersecurity and privacy counterparts on interoperability determinations. Additionally, enforcement deadlines should be staged and extendable based on the results of security impact assessments and security testing.  
  • Involve ENISA in evaluating the cybersecurity implications of interoperability requests: The European Union Agency for Cybersecurity (ENISA) should play a formal role in reviewing the security aspects of interoperability requests and proposed implementations under Article 6(7). ENISA’s technical expertise and risk-assessment methodologies can help assess whether proposed interoperability features introduce unacceptable cybersecurity or privacy risks, and whether proposed implementations are sufficiently protective. By consulting ENISA on security impact assessments and during enforcement decisions, policymakers can ensure that interoperability requests are measured against consistent technical criteria and informed by current threat intelligence, rather than by business or political considerations alone. This coordination would also help harmonize DMA implementation with the EU’s broader cybersecurity strategy and frameworks under NIS2 and the Cyber Resilience Act. 

Policymakers’ efforts to ensure market competition and platform providers’ efforts to ensure the security of their operating systems are not mutually exclusive. Interoperability mandates must account for the architectural realities of modern operating systems — particularly mobile operating systems. Competition goals and cybersecurity imperatives must be acknowledged and reconciled. 
 
If policymakers want to avoid undermining user trust, safety, and system stability, they must collaborate with platform providers and developers to ensure that architectural and security realities are understood and taken into account. As it stands, the DMA imposes interoperability requirements in a way that outpaces security governance capacity, putting platform integrity, user data, and overall cybersecurity at risk. 
 
Article 6(7) should be implemented with security-by-design principles: tiered access, feasibility gates, and transparency mechanisms that preserve operating system integrity while enabling third-party innovation. If implemented with care, the DMA can serve as a model for acknowledging the interplay of competition and cybersecurity in digital markets. By drawing on ENISA’s expertise and grounding enforcement in established cybersecurity frameworks, the EU can demonstrate that digital trust and market competition are mutually reinforcing. Europe has the opportunity to set a global model for integrating economic and security policy in the digital age. The path forward is not to dilute either competition or security, but to align them. 

Heather West is a Senior Fellow with the Tech Policy Program at the Center for European Policy Analysis (CEPA).

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

2025 CEPA Forum Tech & Security Conference

Explore the latest from the conference.

Learn More
Read More From Bandwidth
CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy.
Read More