One Year of DMA Compliance: Time to Grade the Homework
The digital gatekeepers have provided their second round of compliance reports to the DMA units in the European Commission. Our SCiDA Team took a close look. Here is our report!
Big Tech’s DMA homework is in—and it spans a whopping 1214 pages. From detailed disclosures to strategic silences, the second round of compliance reports from Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft reveals a mix of progress and evasiveness (the reports are available here). While one gatekeeper has multiplied the page number of its reports by 20, others opted for a copy-and-paste exercise. Overall, the reporting depth has intensified. Ready to see who’s truly stepped up and who’s just been playing defense? Let’s dive in.
1. Alphabet: Selective Fixes and Strategic Omissions
With eight designated Core Platform Services (CPS), Alphabet is the biggest gatekeeper in terms of CPS. So, in its compliance report Alphabet has a lot to cover. The report is structured by obligations per each CPS and it specifically mentions the changes applied since March 2024 per obligation – which makes it much easier to review. Alongside the report, Alphabet’s Head of Compliance, Oliver Bethell, has published a blog post that shows a more critical tone regarding the DMA than the year before. Mr. Bethell (or “Oli” as he is known on panels in Brussels) points to alleged negative consequences of the DMA for end users that suffer from “lower quality online search”. He says it takes them 50% more searches to find the hotels and shopping products they are looking for. For business users like hotels and airlines, he warns that they are “losing up to 30% of their visitors” and yet “some businesses are still pushing for more aggressive implementation of the DMA to suit their interests”. Alphabet seems to give us a taste of how it will plead its case if the Commission is unsatisfied with the compliance changes it implemented.
But what are the changes, Alphabet has applied since March 2024? Alphabet made minor adjustments to the consent screens under Article 5(2), the choice screens under Article 6(3), and it enhanced the functionalities of the data export mechanisms under Articles 6(9), 6(10). The more significant changes concern, however, Android and Google Search.
On Android, Alphabet introduced the possibility to set up a Google Account without a Google email address (Gmail). It thereby addressed concerns of non-compliance with Article 5(7) that prohibits, among others, the tying of identification services with a CPS. This issue was raised by competitors of Alphabet but was not addressed with a formal non-compliance proceeding by the Commission. That Alphabet now seems to have ceased the bundling is a relevant compliance improvement and might be an example of a successful regulatory dialogue with the Commission and concerned stakeholders behind closed doors. (We are critical of this kind of intransparent dealings, and the DMA is, too, as Jasper van den Boom and Rupprecht Podszun explain in this article.)
And what’s new on Google Search? Regarding the sharing of click-and-query search data (Article 6(11)), Alphabet says it introduced a new pricing tier and “made technical changes to increase the volume of the dataset in a privacy-safe manner” (p. 187). This area is highly relevant for Alphabet because it concerns its search engine quasi-monopoly. What do the changes mean? Well, we don’t know. The pricing and licensing terms are only communicated to search engines who request the information, and Alphabet does not publicly specify how it compiles the anonymized dataset. Therefore, public stakeholders cannot review whether the dataset and the licensing comply with the requirements of the DMA. In November 2024, Google’s competitor DuckDuckGo revealed that the dataset “only includes data from queries that have been searched more than 30 times in the last 13 months by 30 separate signed in users”. According to DuckDuckGo that means that approximately 99% of search queries would be omitted. Alphabet does not seem to have addressed these concerns: DuckDuckGo and others again urged the Commission recently to open an investigation for non-compliance with Article 6(11).
Competitor DuckDuckGo describes Google’s compliance approach as a “roadblock to competition”
Source: DuckDuckGo
It remains to be seen whether the Commission picks up on it. If it doesn’t, its unlikely to be due to pressure by the Trump administration. The US Department of Justice just proposed (again) in the D.C. (Judge Mehta) Google Search Trial that Google be required to make its search index, including ranking signals, available to competitors.
And what is missing in the report? As often, it might matter more what’s excluded from the report than what’s in it. In Alphabet’s case, two DMA provisions are of particular interest, because they are at the heart of the non-compliance investigations by the Commission: The obligation to allow business users to communicate offers to their end users, Article 5(4); and the prohibition of self-preferencing in ranking, Article 6(5). And yet, Alphabet’s second annual compliance report does not mention any changes, let alone improvements, in those areas. Regarding Article 6(5), Alphabet specifically states that it has not made any changes since March 2024. Regarding Article 5(4) it obscurely refers to ongoing discussions with the Commission without announcing any changes.
Alphabet, like other gatekeepers as we will see, seems to have entered a protective mode regarding the provisions under investigation in order not to give away any self-incriminating evidence that might enable stakeholders to help the Commission in building their case. Whether this is in line with the obligation to demonstrate compliance (Art. 8(1) DMA), is a different matter.
2. Amazon: Under the Radar?
Amazon seems to have been flying under the radar of DMA scrutiny. Even though the Commission had announced investigatory steps regarding Amazon’s Article 6(5) compliance, it never opened any formal proceedings. Reuters reported last November that proceedings regarding Amazon’s compliance with the prohibition of self-preferencing (Article 6(5)) are likely to be opened in 2025. Perhaps the fear of potential investigations has led Amazon to change its compliance approach: on formal aspects, Amazon’s second compliance report appears to be a major improvement compared to 2024. Last year, Amazon had published a 32-pages marketing brochure. This year it is a 178-page long legal document following the Commission’s template. This is definitely good news for the public as the reports are supposed to “enable third parties to assess whether the gatekeepers comply with the obligations” (Recital 68).
However, a look into the details reveals that Amazon has not made significant changes to its compliance measures. The 2025 report serves as a more detailed description of the measures already mentioned in 2024. Take for example Amazon’s description of “Featured Offers” on its marketplace in the context of Article 6(5) compliance:
As you can see, Amazon has not changed its compliance measures, but the new report describes them in more detail.
In a move that may be seen as surprising to some, Amazon states that it is “not necessary for Amazon to implement any measures specifically to ensure compliance with Article 6(5)” (Annex I, para 132) because it hadn’t engaged in self-preferencing before the designation. To support this argument, Amazon continuously refers to the commitments accepted by the Commission in the 2022 “Amazon Buy Box” case stating that compliance with the commitments ensures compliance with the DMA. However, the commitments only cover Amazon’s display of “Featured Offers” and “Second Offers”, but not, e.g., the ranking of other results, sponsored placements and the display of multi-product widgets. So there is some scope for more action. Non-compliance proceeding incoming?
3. Apple: Filling Pages, Dodging Answers?
Apple is the most targeted gatekeeper when it comes to enforcement by the Commission. Three non-compliance investigations and two specification proceedings have been opened regarding Apple’s DMA compliance. Therefore, it is not surprising, that Apple, similarly to Amazon, has changed its public reporting approach. In 2024, Apple published a short 12-pages leaflet that strongly criticized the DMA for posing a risk to user privacy and device security. Now, the non-confidential version of the second compliance report follows the EC’s template and reaches 240 pages. (It seems that the trademark Apple minimalist approach (“Less is more”) goes out of fashion!) As opposed to last year’s report, the new report includes much more detail, screenshots and technical descriptions. However, in the report, Apple also occasionally links to further information and descriptions on its website. This is not exactly the intuitive and simplicist elegance, Apple users love to pay for.
What has changed in Apple’s compliance? Apple is the only Gatekeeper that had published an interim update to its compliance report in November 2024. Compared to that report, the new 2025 version does not include much new information, except for outlining the compliance measures in greater detail. In case you missed it, in its November 2024 report, Apple confirmed that it by now had introduced app distribution through websites (Article 6(4)) and that it would provide new options (and a new pricing) for app developers to steer users to offers outside the app (Article 5(4)).
Regarding the obligation to allow the changing of app defaults and the uninstallation of native apps (Article 6(3)), Apple has made further changes since November 2024. It made more native apps deletable (App Store, Messages, Camera, Photos, and Safari) and made available an API allowing competing browsers to check if they are the default. Additionally, in December 2024, Apple introduced new settings allowing users to change the default services for calling, messaging, password storage, keyboards, and call filtering.
Following Apple’s first compliance report, BEUC, the European Consumer Organisation, complained that despite users being able to select a new default browser, Safari would still be displayed on the Dock or the first page of the Home Screen.
Apple has now reacted to these complaints and as of December 2024, a newly selected and downloaded default browser will automatically replace Safari on the Dock / the first page of the Home Screen.
So overall, some changes to the better – finally.
And what about the ongoing proceedings? As for Alphabet, they seem to have turned Apple more cautious and less willing to share information. For example, regarding the prohibition of anti-steering measures (Article 5(4)), Apple had announced in August 2024, that it would lower the restrictions for app developers to promote offers outside the app and apply a new fee structure for outside-the-app-purchases. However, in its new report, Apple confesses that none of these changes have been implemented, “as it is engaged in ongoing constructive conversations with the EC about those changes” (p. 17). The ongoing proceedings have also led Apple to reject to disclose any data on the impact of the compliance measures. That concerns e.g. the interoperability obligation of Article 6(7): “Pending those proceedings, Apple does not provide the data under the data points identified” (p. 165).
With five proceedings currently ongoing, Apple seems to have entered a double-bladed defense mode: Make the public read a lot, but disclose nothing which is under investigation.
4. ByteDance: More Court Filings than Compliance Changes
While ByteDance is still fighting its designation as gatekeeper in court (it now appealed the General Court decision to the CJEU), its DMA compliance journey has been largely uneventful. The ByteDance compliance workshop in March 2024 had already seen a lack of interest and there does not seem to have been much controversy over its compliance measures since. One of the reasons for that might be that ByteDance and Booking (whose compliance deadline was in November 2024) are the only gatekeepers with only one designated Core Platform Service.
The lack of controversy is also reflected in the changes to its compliance measures: there are basically none. The new 56-pages report is largely identical with the previous 52-pages report. The only significant change concerns Article 5(2), the prohibition to combine and cross-use data from different services without consent. In December 2024, ByteDance had launched a new service, the TikTok Shop, so that it now set up a new consent mechanism for combining and cross-using data from TikTok with this service and vice versa.
We expect the most interesting part about ByteDance in the DMA context to be the continued court proceedings on the designation as a Gatekeeper. And of course, our project is still not a fan of TikTok (as he fails to conceal in this good read).
5. Meta: A Questionable Fix and a Dead End?
Meta is the second-biggest gatekeeper in terms of designated CPS (6). And now it is the only gatekeeper that does not follow the Commission’s template for the public version of its compliance report. The report is 76 pages long and includes detailed information about Meta’s compliance measures. The most relevant changes concern Article 5(2) with a new alternative to the “pay-or-consent” model and Article 7 with the obligation to enable messaging interoperability.
In June 2024, the Commission preliminarily found that Meta’s pay-or-consent advertising model violates Article 5(2). Meta reacted to these findings and introduced a third alternative in November: a free, less-personalised version of the service with mandatory ad-breaks. These changes were analyzed in detail on our SCiDA blog. Meta doesn’t seem to have read the blog post, as its compliance approach with Article 5(2) has not changed since then. We should know soon whether the new approach satisfies the expectations of the Commission, as it is expected to decide on Meta’s compliance by 25 March 2025 (unless Mark Zuckerberg convinces his new buddy Donald Trump to, well, convince Madams Ribera and Virkkunen to shy away from DMA enforcement against the Tech-Bros).
Messaging interoperability has been one of the most debated aspects of the DMA. Article 7(1) states that the designated “number-independent interpersonal communications services” (NIICS; Whatsapp and Messenger) need to make the basic functionalities interoperable with other NIICS providers (such as Signal or Telegram). In a first step, those funcationalities include end-to-end text messaging and sharing of images, videos and voices messages between two users. In later stages, the DMA requires group messaging and voice as well as video calls to be added. For Messenger, the Commission had granted Meta a compliance deadline extension for the obligations under Article 7 until September 2024.
In its last year’s compliance report, Meta only included one page of limited information on how the interoperability solution will work. In the new report, Meta uses 13 pages to describe, explain and visualize the new functionalities and how they will be rolled out .
As part of the roll out, Meta announced to prompt in-app notices once messaging interoperability is available so that it can be activated in the settings. If you use WhatsApp or Messenger you can check, whether these settings are already available to you. The authors of this blog post tried – and saw that there is nothing to see yet. A case of non-compliance? Not necessarily. Messaging interoperability requires the competing providers to request it and sign an agreement with Meta stipulating the terms of the cooperation. However, two of the prominent messaging competitors, Signal and Threema, have announced they want to have nothing to do with messaging interoperability with Meta’s services. They fear interoperability would endanger their security and privacy standards because they don’t trust Meta’s handling of the messaging information. So the messaging interoperability requirement under the DMA might be set up for failure if no competing provider wants to make use of it. And regarding competitive dynamics it might even be for the best: a German study found that messaging interoperability might lead to a stronger use of gatekeeper services and cause a reduction of usage of alternative NIICS.
6. Microsoft: Copy-Paste and a Subtle Punch
Alphabetically, Microsoft is the last gatekeeper in line, with its two CPS Windows and LinkedIn. In the first round of compliance reports Microsoft made an effort of long reporting, and it championed quantity this year again with a total of 453 pages. The report for Windows (166 pages) is largely copy-pasted from last year and only has a few modifications. One interesting update concerns Microsoft’s description of its compliance with the interoperability requirement of Article 6(7). Microsoft mentions that it “follows a proactive ‘interoperability-by-design’ model” (Annex I, p.111). That means that every new feature on Windows is designed considering “how both Microsoft and third-party applications will have equal access to those new features” (Annex I, p. 111). In that context, Microsoft tries to shed a bed light on its competitors by highlighting that its proactive approach “is in contrast to some other OS providers that rely on a request-based process to deliver interoperability” (Annex I, p. 111). Take this, Apple!
And what’s new on LinkedIn? Notably, Microsoft had to update its consent screens as part of its Article 5(2) compliance because of a decision by the Irish Data Protection Commissioner in October 2024 (which fined Microsoft EUR 310 million for breaches of the GDPR). This shows once more how the enforcement of the GDPR and the DMA are intertwined. Therefore it should be welcomed that the Commission and the European Data Protection board are currently cooperating to develop guidance on the interplay between the DMA and the GDPR.
Overall, Microsoft compliance measures remain largely unchanged, but it also does not seem to have to fear anything – the Commission has neither opened any proceedings against Microsoft nor has it announced any investigatory steps.
7. Conclusion: Progress Made, But the Real Test Lies Ahead
The first year of DMA compliance has seen many improvements but there remain many aspects of unconvincing compliance that require to be addressed. Many reports still feature uninformative, hollow statements. Most relevant information is often marked as [confidential]. Regarding the obligations under investigation, the gatekeepers seem reluctant to share information. Overall, there is still a long way to go for effective compliance.
The true test lies ahead. This month, we are expecting eight decisions by the Commission in DMA proceedings:
- 19 March 2025: The Commission is expected to issue its final decisions in the two specification proceedings regarding Apple’s compliance with the interoperability requirement of Article 6(7).
- 25 March 2025: The six non-compliance investigations against Alphabet (2), Apple (3) and Meta (1) should come to an end since they were opened 12 months ago. The DMA’s deadlines are not tough as nails (“shall endeavor”), but the Commission has announced it intends to stick to the deadline.
If the Commission adopts one or multiple non-compliance decisions against Alphabet, Apple and/or Meta (with potential fines of up to 10% of their annual world-wide revenue), we expect the gatekeepers to appeal it. This is when the fun part starts: The Court of Justice will grade the gatekeepers’ compliance homework – and the Commission’s approach to DMA enforcement.
This blogpost was brought to you by the SCiDA team. If you have FOMO regarding future blogs, just subscribe to our newsletter here. And if you liked this post – share it with your friends & on social media. 🙂 SCiDA stands for “Shaping Competition in the Digital Age”. It is a joint research project of the Universities of Düsseldorf and Exeter, funded by the two independent research funding organisations DFG and AHRC.
