Compliance time! Categorizing Risks of Compliance Failures in the DMA

It’s compliance time! On the 7th of March, the first designated gatekeepers had to start complying with the substantive provisions of the DMA. The European Commission’s anticipation of this moment was characterised by their official DMA countdown clock. Around the time the clock ran out, the gatekeepers published the non-confidential summaries of their compliance reports. Now, it’s time to make up the score: how much has changed pre- and post-compliance time, and how effective are the proposed changes by the gatekeepers in stimulating fairness and contestability? While the Commission’s DMA team scours through the full reports, we provide some first observations on the summarized compliance reports. Here, we set out some risks for compliance failures we have identified when reading through the non-confidential summaries.

By Jasper van den Boom

The six gatekeepers have issued their non-confidential summaries: Alphabet, Apple, Amazon, Meta, ByteDance and Microsoft (all available here). Already at first glance, the non-confidential summaries of the compliance reports issued by the gatekeepers reveal that monitoring whether these undertakings are in compliance with the DMA – and especially if this compliance is effective – will be quite a challenge. The reports differ greatly in terms of length, presentation, tone, and complexity. To give a striking example, there is a significant difference between Apple’s 12 pages summary – which generally focuses more on how it protects users from the unintended side-effects Apple envisions – and Microsoft’s report and annexes of a total of 421 pages. A difference between the reports is not surprising, considering that some gatekeepers have to make changes related to more core platform services (CPS), or have to change more within their CPSs to comply with the DMA. However, some of the differences can also be explained by the willingness to demonstrate compliance, or at least the willingness to convince the Commission that they are complying with these new obligations. A brief overview of provisions that require changes as identified by the gatekeepers themselves can be found hereunder:

Designated gatekeeperRelevant core platform services (CPS)Provisions that require changes (according to the gatekeeper)Number of pages
AppleApp Store, Operating System (iOS), Web browser (Safari)Article 5: 3, 4, 5 Article 6: 2, 3, 4, 7, 9  12
AmazonMarketplace (as an “Online Intermediation Service (OIS)”), Online Advertising ServiceArticle 5: 2, 4, 6, 9, 10 Article 6: 2, 5, 8, 9, 1032
ByteDanceOnline Social Networking Service (OSNS) (= TikTok)Article 6: 9, 10, 1252
MetaOSNS (Instagram and Facebook), Number-Independent Interpersonal Communications Service (NI-ICS = WhatsApp), Advertising Service, Marketplace (Online Intermediation Service)Article 5: 2, 8, 9, 10 Article 6: 2, 5, 8, 9, 10, 12 Article 7: 1, 257
AlphabetApp Store, Online Search Engine, Video-sharing service (YouTube), Web Browser (Chrome), OS (Android), Advertising service, Google Maps (OIS), Google Shopping (OIS)Article 5: 2, 3, 4 Article 6: 2, 3, 5, 8, 9, 11, 12  211
MicrosoftOS (Windows), Online Social Media (LinkedIn)Article 5: 6 Article 6: 2, 3, 7, 9421

Each of the compliance reports has its own strengths and weaknesses.

  • Apple’s report is short and easily legible. However, Apple does not specify which changes relate to which provisions, where it believes it is already compliant and which obligations are supposedly not applicable.
  • In Amazon’s report, they note that they have made changes to certain policies as to comply with the DMA without specifying which changes have been made.
  • ByteDance mostly defends its behaviour by stating that it is either already compliant due to its existing policies, or that provisions do not apply as they do not operate multiple core platform services. ByteDance’s compliance strategy may have to change significantly if their advertising service is also designated in the future.
  • Microsoft’s report is extremely lengthy and detailed. However, one may get lost in the technicalities of compliance to the point that it is unclear whether these technical changes actually align with what is required under the DMA.
  • Alphabet, lastly, seems to have the most structured report and clearly communicates on how they wish to comply with the DMA’s obligations. However merely communication of one’s intentions does not translate into compliance, let alone complying effectively.

Below, we set out several risks for compliance failures, or risks for ineffective compliance, based on our preliminary observations on the non-confidential summaries.

Categorizing & exemplifying risks of compliance failures

Based on all six reports, we highlight several risks of non-compliance, ineffective compliance or circumvention which must be studied further and addressed. Following the first reading of the reports, we introduce this first (preliminary) categorization of 6 risks identified that may lead to ineffective compliance and provide some examples of what we have seen in the reports.

1.      Disputes on nomenclature used in the DMA and the nature of the service

Disputes on the nomenclature may come in different forms, but mostly relate to scope and delineation of either the provision or the core platform service. By reading the provision in a certain way, or by stating that certain activities are integral to the core platform service and therefore cannot be offered separately, the gatekeeper may attempt to escape making certain changes that would be required to make compliance effective.

One example can be found for instance in Microsoft’s position where it argues that its different LinkedIn services (LinkedIn Jobs, Learning, and Marketing Solutions) are all part of the same CPS. Consequently, it would not have to obtain permission for the cross-use of data between these services. Another indicator of such a dispute can be found in Microsoft’s statement that it is still working to turn Microsoft Edge into an application so that it can be uninstalled, as Microsoft had previously considered their web browser as a functionality of the operating system. ByteDance, in relation to a number of provisions, argues that its advertising services and social media service are part of the same multi-sided markets, and that it therefore does not infringe on any obligations related to gatekeepers that operate multiple core platform services. These types of disputes may help gatekeepers to minimize the changes they are required to make under the DMA.

2.      Faulty compliance mechanisms which only appear to address prominent issues

Faulty compliance mechanisms exist when the gatekeeper complies with its obligations on paper, but does so in a way that either makes compliance ineffective or even strengthens the position of the gatekeeper. A particular risk for faulty compliance exists in the offered choice screens, consent mechanisms for the collection and cross-use of data, and self-preferencing obligations.

The risk related to choice screens has already been observed previously when choice screens were implemented following the Google Android case in 2018. Here, problems arose largely due to the auction mechanism that was used to determine which search engines would be shown, a lack of incentives for users to pick competing search engines or browsers, a lack of information, and the presentation of the options (as pointed out by organisations like BEUC or SearchNeutrality). While Alphabet seems to have largely addressed these shortcomings in their proposed changes to the choice screen in their compliance report, there is a need for monitoring of the implementation of these choice screens by Alphabet, as well as Microsoft and Apple.

Another possibly faulty compliance mechanism may exist in Meta’s approach to the cross-use of data. While users can opt to not share data between core platform services through the new Accounts Center, it seems that the only way to avoid a combined use of data for the purpose of advertising is by subscribing to their paid social media program. It is questionable if such a distinction is allowed, and if the prices are viewed as prohibitive by users.

3.      Nudges to drive behaviour and actions by end-users and business users

Nudges to drive behaviour by end users pose a real risk to the effectiveness of compliance and the possibility for the DMA to drive actual change. By overloading users with warnings, risks, choices, or by the use of other dark patterns, gatekeepers can drive end-users and business users away from making certain choices that may benefit end- or business-users and competition.

In its compliance report, Apple signals that it will provide numerous warnings for risks of fraud, theft or limited functions if users want to use third-party services. From the report, it seems that these risks are not one-off, but instead occur whenever the user wants to make use of the third party service. These extra barriers to using the service may dissuade users from venturing outside of the Apple ecosystem altogether. In Alphabet’s compliance report, it is signalled that some functionalities may not be available for users when there is no combination of data and that users will be prompted with the choice to turn on cross-use of data in order to resolve these issues. However, providing this consent is again not a one-off, but switches the users from non-consenting to consenting with respect to those services in the future.

4.      The introduction of additional (and prohibitive) costs for users to dissuade them from using their rights under the DMA

The introduction of additional and prohibitive costs is an effective way to dissuade users from trying new services. These risks have been observed particularly in relation to Apple and Alphabet’s proposed conditions for the use of third-party app stores. When software developers intend to use a third-party app store, they will still have to pay a fee to the gatekeeper per download. This effectively raises the intermediation costs paid by the software developer to offer their apps through third-party marketplaces. As a result, incentives for software developers to use these third-party services are likely diminished.

By limiting the emergence of third-party app stores, and then limiting incentives for software developers to use the third-party app stores, the gatekeepers may be able to harness network externalities to support their own position and hinder emerging competitors. Whenever users are required to pay a fee to make use of their rights under the DMA, it should be monitored whether this fee is reasonable and if it does not limit the effectiveness of the obligations.

5.      Attempts to justify behaviour and to introduce additional safeguards or seek exceptions

Attempts to justify behaviour may lead gatekeepers to take the position that they can or should not fulfil certain obligations as they are justified in doing so to protect their users. Apple’s introduction of the iOS Notarization app, Meta’s decision to make Facebook Dating unavailable for non-consenting users, or Alphabet’s argument that disabling apps is equivalent to allowing users to uninstall such apps constitute such justifications.

It is the right of gatekeepers to argue justificatory grounds for their behaviour. However, the possibility of justification is limited under the DMA, in particular if compared with competition law. So, the Commission must not only assess whether there is flesh to the bone of the argument. It also needs to check carefully whether a justification is admissible in the first place. The DMA does not allows for many justifications.

6.      Delay strategies which allow the designated gatekeeper to maintain (parts of) their business models for an undue period of time

Finally, delaying implementation may allow the gatekeeper to significantly postpone granting rights to its users under the DMA. Apple, in its compliance report, signals that many changes will only be effective at the end of 2024 or in 2025. Alphabet argues that – in order to change its choice screen from stratified randomised results to fully randomised results – it must postpone offering a choice screen until the end of 2024, and Microsoft also raises technical difficulties as a justification to introduce several changes late 2024.

ByteDance has its own strategy to introduce delays by limiting its changes on the basis that its advertisement service should not be considered a CPS. (ByteDance’s advertising service is currently in the designation process.) If the Commission decides to designate ByteDance’s ad services as well, they will have to significantly adapt their compliance strategy. This buys ByteDance additional time while it is waiting out its appeal concerning TikTok’s designation in the first place (see the very first order by the General Court here).


Each of these categories of behaviour may by itself or in conjunction with others lead to ineffective compliance in the short and long term. The examples provided above are just a first look at what possible risks may arise in relation to which types of behaviour. However, each of these choices in the compliance strategies of gatekeepers deserves its own in-depth investigation.

Preliminary observations on the non-confidential compliance reports show that there are big differences between the methods and styles of reporting across different gatekeepers. Some gatekeepers show more willingness to comply (or at least to demonstrate compliance), others have opted to respond more defensively to their designation and the new rules. However, being the ‘best in class’ in reporting changes does not necessarily mean that these changes are also effective and lead to a desirable impact for contestability and fairness.

The six categories of compliance risks highlight how and why compliance may ultimately be ineffective. However, we cannot say with certainty that gatekeepers are compliant or non-compliant based on the non-confidential summaries of their reports. As such, we must conclude with the warning that the Commission must weigh and contemplate the effectiveness of different measures in first instance, as well as monitor the implementation of these changes in the foreseeable future. In this exercise, it is particularly important to take into account the views of business users and competitors. The DMA compliance workshops in week 2 of DMA application provide a good forum for this assessment. See our report on the workshops here!

Finally, it seems that we are far from alone in observing the specific compliance risks and the behaviour which exemplifies it. Mere days after the first compliance workshops, the Commission has opened investigations into possible non-compliance related to Apple and Alphabet’s potential steering behaviour in their Operating Systems, as well as Alphabet’s changes to its online search engine. Meta’s pay-or-consent model is also being investigated. Finally, the Commission remarks that Amazon’s behaviour related to self-preferencing in their Store and Apple’s new fee structures may also be worth investigating. This categorization of potential compliance risks may helpful to scrutinize changes and identify risks, as enforcement of the DMA is clearly just beginning!

Posts created 4

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top