The DMA gatekeepers have submitted their third cycle of compliance reports to the European Commission. While the surface-level documentation suggests a steady march toward alignment, a deeper dive reveals a more complex reality. Our SCiDA Team has carefully reviewed this year’s submissions to identify substantive progress and mere procedural posturing (see our analysis on 2025 compliance reports here). The following analysis presents our key findings.
By Kena Zheng, Jasper van den Boom, Sarah Hinck, and Sebastian Steinert
| Gatekeeper | Pages | Significant changes in 2026 compliance reports | ||
| 2024 | 2025 | 2026 | ||
| Alphabet | 211 | 211 | 225 | 1. Data sharing under Art. 6(10) 2. Choice screen updates under Art. 6(3) 3. The External Offer Program under Art. 5(4) |
| Amazon | 32 | 178 | 178 | Third-party data portability under Art. 6(9) |
| Apple | 12 | 240 | 299 | 1. Four-category-fees structure under Art. 5(4) 2. Interoperability Requests under Art. 6(7) |
| ByteDance | 52 | 56 | 60 | 1. Consent screens and flows under Art. 5(2) 2. Data Portability API and the Download Your Data portal under Art. 6(9) and 6(10) |
| Meta | 57 | 76 | 79 | 1. Personalised ads under Art. 5(2) 2. Horizontal interoperability Art. 7 |
| Microsoft | 421 | 453 | 434 | 1. Window default settings Art. 6(3) 2. LinkedIn GenAI under Art. 5(2) 3. LinkedIn Ad Auction under Art. 6(5) |
1. Google’s DMA Compliance in 2026: From Roll-Out to Reality
Google (Alphabet) remains the most heavily designated and scrutinised gatekeeper under the DMA. Its updated compliance report for 2026 runs to more than 200 pages. With eight designated Core Platform Services (CPS), there is indeed a lot to cover.
Since the previous report, published in 2025, the regulatory reality Google is facing under the DMA has evolved. In March 2025, the European Commission issued two preliminary findings: one concerning Google Search, where certain features allegedly treat Alphabet’s own services more favourably than rival ones, and another concerning Google Play, where developers are allegedly prevented from freely steering consumers to alternative channels offering better deals. In November 2025, the Commission launched proceedings to assess whether Google applies fair, reasonable, and non-discriminatory access conditions for publishers’ websites in Google Search. Most recently, in January 2026, the Commission initiated two specification proceedings addressing interoperability obligations (with a focus on AI services) and the sharing of online search data.
Comparing the changes in the 2026 report with the previous version reveals the following:
1.1 Main changes: Data sharing under Art. 6(10), choice screen updates under Art. 6(3) and the External Offer Program under Art. 5(4)
While Google reiterates that it already provides extensive data access to business users and continues to operate the request channels introduced earlier to comply with Art. 6(10) DMA, the main updates concern additional reporting tools and analytics features across several core platform services. For example, Google Play introduced AI-generated chart summaries and new metrics in the Play Console to help developers interpret performance trends and user engagement. Google Search updated the Search Console Insights report with more detailed data on clicks, impressions, and queries. Merchant Center introduced AI-powered insights for product performance, YouTube added revised view metrics for Shorts, and Google Ads expanded reporting features for Performance Max campaigns. Overall, the changes reflect the continuous expansion of analytics tools rather than changes to the underlying data-access model.
For Art. 6(3) DMA compliance, Google implemented additional operational measures to refine its compliance solution. A “significant win for smaller browsers” is the placement of the selected browser icon in the “hotseat” of new Pixel devices instead of Chrome, which Google has rejected to do for the last two years. The browser choice screens have now also been rolled out to previously approved Android devices, including older models no longer receiving updates. The company also introduced new functionality for easier switching of default services, allowing users to change their default search engine or digital assistant more easily through device settings and clarifying privacy dialogues during the switching process.
Still under investigation for breaching the anti-steering provision under Art. 5(4) DMA, more significant updates relate to Google Play’s External Offers program. Google introduced a tiered service model for developers linking to external offers. Tier 1 covers essential security and operational services, while Tier 2 provides optional discovery and promotional features. Developers can opt out of Tier 2 services and associated fees. The program was also expanded to allow linking to developers’ own app downloads, accompanied by revised fee structures and reporting requirements. By shifting the fee structure from an acquisition commission to ongoing service fees, Google tries to make the steering to appear “free of charge” as required by Art. 5(4) DMA. It remains to be seen whether the Commission accepts this approach given that app developers will indefinitely pay a 20 % de facto commission fee on steered transactions labelled as ongoing service fees.
Regarding the other provision in the DMA intended to strengthen alternative distribution outside the Gatekeeper’s app store, Art. 6(4) DMA, similar updates are, however, missing. A lot seems still to be in flux with regard to third-party app stores and sideloading. Google describes that the precise implementation details of sideloading and the Registered App Store program for third-party app stores have not yet been determined.
1.2 What’s missing is of interest: Google’s silence on Art. 6(4), 6(5), 6(11) and 6(12)
The pending investigations into areas of potential non-compliance against Google did not have a measurable effect on voluntary updates to compliance. For Art. 6(5) (self-preferencing) and Art. 6(11) (data-sharing obligations), Google reports no additional implementation changes, noting instead ongoing discussions and investigations with the European Commission. For Art. 6(12), the report reiterates the mediation mechanism established with the Center for Effective Dispute Resolution (CEDR), again emphasising regulatory dialogue rather than new measures.
To sum up, Google’s 2026 DMA compliance report does not fundamentally redesign Google’s DMA compliance strategy. It limits itself to incremental adjustments rather than structural changes. Compared with the 2025 report, the updates largely reflect operational refinements, new reporting tools, and responses to regulatory scrutiny, with several articles showing limited or no substantive changes. In addition, where regulatory scrutiny is intense, changes to compliance are limited. Is Google ready to litigate here?
2. Amazon’s DMA Compliance in 2026: Small Updates, Better Data Portability
Compared to certain gatekeepers, Amazon introduced relatively limited changes in its 2026 compliance report. While last year’s report (including Annexes) comprised 178 pages, the 2026 report equally contains 178 pages, suggesting only modest updates overall.
The key enhancement can be observed in Amazon’s approach to third-party data portability under Art. 6(9) DMA. Amazon explains that it now provides more detailed guidance to third-party requesters, including information on procedural steps, response times and timelines, required documentation, decision criteria, and frequently asked questions, which supplement its step-by-step guide for third parties (p. 42-44). In addition, Amazon reports that it has enhanced the experience of third-party data requesters by deploying Instance Identity Verification (IIV), a mechanism intended to increase efficiency and improve the scalability of the data access process (p. 57). However, the examination of the two Annexes provided by Amazon reveals limited changes.
Moreover, during last year’s compliance workshops (see our report here), several business users indicated that, in practice, Amazon’s ranking and recommendation algorithms may still result in forms of self-preferencing. Despite these concerns, the section addressing Article 6(5) DMA in the 2026 report appears unchanged compared to the previous year. Amazon does not outline additional safeguards or methodological adjustments in this area, suggesting that the company considers its existing measures sufficient at this stage.
At the same time, Amazon is facing scrutiny at the national level in Germany. The Bundeskartellamt recently targeted Amazon’s price control mechanism under Section 19a GWB, Germany’s gatekeeper regulation. The authority prohibited Amazon from engaging in practices that influence the prices charged by independent sellers and clarified that price caps may only be imposed in exceptional circumstances, such as cases of excessive pricing. This development illustrates that, alongside the DMA framework, national competition authorities continue to closely monitor Amazon’s conduct toward marketplace sellers.
3. Apple’s DMA Compliance in 2026: Improvements Everywhere – Except on Fees
Apple’s compliance report this year provided certain changes that appears to make the Commission feel at ease. Since the DMA enforcement, the Commission has adopted a decision concerning the infringement of Art. 5(4) DMA and instructions on its compliance of Art. 6(7) DMA. In this context, Apple’s key changes in this year’s compliance report mainly focus on these two issues.
3.1. Continuing Disagreement with the Commission over Apple’s Fee Structure under Art. 5(4)
Apple’s response to the Commission’s enforcement action suggested that its implementation of Art. 5(4) has improved, although the main idea may still go against the grain set by the Commission. Compared with the compliance report published in Match 2025, this year Apple has made greater efforts in its latest report to explain its compliance strategy under Art. 5(4).
In the 2025 compliance report, Apple provided new business terms allowing linking out, the use of alternative in-app payment systems, and offering the application on third-party app stores. However, Apple continues to impose a number of restrictions on how business users may offer their goods and services, which the Commission had previously concluded non-compliance with the obligation imposed in Art. 5(4) DMA. Although Apple has appealed the Commission’s decision before the EU General Court, it nevertheless announced and implemented a set of changes to comply with the Art. 5(4) Decision on 26 June 2025.
First, Apple introduced a new fee structure applicable when developers communicate and promote offers, whether inside or outside their apps. This structure was also presented during Apple’s compliance workshop on 30 June 2025 and differs from the Commission’s requirement that developers be able to communicate and conclude transactions free of charge. The revised fee structure remains complicated, as highlighted during the June worship. Apple introduced four types of fees: the Initial Acquisition Fee (IAF), the Store Services Fee (SSF), the Core Technology Commission (CTC), and the Core Technology Fee (CFT) (p. 64-65). In presenting these fees, Apple seeks to frame the charges as reasonable and proportionate compensation for the services and technologies it provides. However, while these revised packages may slightly reduce the total payments required from developers, they may still fail to comply with the obligations imposed by the DMA.
For example, developers are required to pay the SSF on all sales of digital goods or services using an actionable link that occur within a 12-month period from the date of any install, including app updates and reinstalls. In practice, this means that not only the initial installation but also any subsequent updates or reinstalls would trigger the fee. Given the rapid pace of software updates and technology development within Apple’s ecosystem, the time limitation of 12 months may effectively operates as a rolling period. Each update may reset the calculation period, thereby ensuring that developers continue paying the fee indefinitely as long as their application remain active and updated.
This divergence reflects a fundamental disagreement between the gatekeeper and the Commission regarding whether Apple may charge developers for services associated with external transactions. Ultimately, the legality of Apple’s approach will likely need to be clarified by the EU courts.
Additionally, Apple has introduced a certain information banner on the app’s product pages. At the same time, it would provide to users or asking the developer’s app must display a system-provided disclosure sheet that explains to the user they’ll be transacting with the developer and not Apple. During the compliance workshop, several stakeholders expressed concerns that such banners or warning messages may discourage users from following external links, thereby undermining the effectiveness of the linking-out mechanism.
3.2. A More Structured Framework for Interoperability Requests under Art. 6(7)
With regard to Apple’s compliance with Art. 6(7) of the DMA, the Commission’s instructions have prompted the company to further refine its interoperability framework. Compared with the 2025 compliance report, Apple has introduced two additional sections in this year’s report: a Reference Query form for developers to ask for technical references (Section III.), and a dispute resolution mechanism for the interoperability process (Section IV).
Apple has also expanded its explanation of the interoperability framework in response to the Commission’s requirements. In March 2025, the Commission adopted a decision specifying the measures Apple must implement to ensure interoperability with connected devices. Apple indicates that these measures have either been implemented or will be implemented within the timelines established by the Commission for each solution.
In its compliance report, Apple outlined a more structured and documented process for setting out how interoperability requests are received, acknowledged, assessed and answered, including in accordance with the Process Decision (p. 186-200). The report provides detailed instructions for managing this process, combining explanatory text with visual illustrations of the workflow. Based on the current description of the system, developers appear to be able to submit interoperability requests and technical reference queries through relatively clear procedural channels.
Additionally, Apple has introduced a two-stage dispute resolution mechanism, which entered into force on 22 July 2025. Under this mechanism, developers may challenge Apple’s decisions through an internal review process conducted by the Interoperability Request Review Board (IRRB). If disputes persist after internal review, the parties may proceed to a conciliation stage.
Moreover, Apple has published a short report on the functioning of its request-based interoperability process at the end of the compliance report (p. 297-299). The content of this review largely mirrors the explanations provided under Annex 15 to Section 2. At this stage, however, the effectiveness of Apple’s interoperability framework, as well as the reliability of the data presented in the review, can only be fully assessed by the Commission following further monitoring and evaluation.
4. ByteDance’ s DMA Compliance in 2026: Was TikTok worth the trouble?
After what happened to ByteDance in the United States, DMA compliance surely is not as shocking anymore. Despite the forced divestiture of “TikTok US” to Oracle, ByteDance is still considered a gatekeeper for the platform and its EU users.
ByteDance’s compliance report focuses on selected issues. First, compliance with Art. 5(2) DMA. Here, ByteDance presents a number of updated consent screens and flows. While sceptical of the need to be designated in its first year, as it did not operate any other core platform services, there seems to have been a significant effort in developing appropriate data flows. What is more, ByteDance now concedes that separate consent for data-combination with its Capcut platform is appropriate, introducing additional safeguards. This was a point of contention early on in mandatory DMA compliance, as Capcut itself is not a core platform service.
Other than Art. 5(2) DMA, ByteDance only considered Art. 6(9) to 6(12) relevant for this year’s compliance report. According to their own assessment, other obligations do not apply to TikTok and if they did apply, ByteDance would already be compliant. Considering that TikTok is not under investigation under the DMA, unlike under the DSA, this all seems to be a good sign for DMA compliance.
For Art. 6(9) DMA, ByteDance has further developed its TikTok Data Portability API and the Download Your Data portal. With the Data Portability API, end users are empowered to make one-off or recurring requests to port their data. For the Download Your Data Portal, the speed of fulfilling requests has been updated. Other than that, no shocking new developments with respect to user data portability. All the juicy details are reserved for the Commission, as much of the standard report is noted as confidential. ByteDance details the benefits of DYD and enhanced data access for business users under its Art. 6(10) DMA strategy. It seems that here ByteDance has fused its compliance strategy with its search for new business models, as it reads as much as a sales pitch for potential business users as it does a compliance strategy for the DMA.
Finally, on its Art. 6(12) DMA compliance, the compliance reports tell us nearly nothing. TikTok would have to give FRAND access to business users for its social media service. According to ByteDance, business users are well informed of their rights, which “are consistent with FRAND principles”, and there is an alternative dispute mechanism available. To explain what FRAND is, ByteDance explains that access for TikTok Business accounts is free of charge and refers to recital 62 saying that it does not “create an imbalance of rights and obligations”. The compliance segment reads like a hastily written student paper in an attempt to make the deadline, but mostly lets us know that there is very little to report.
The third ByteDance compliance report and the associated lack of investigations make one wonder if designating TikTok was worth the trouble at all. This also sheds light on the size asymmetry within “big tech” and casts doubt on the “core platform services” approach. It seems that the need to regulate with DMA-style regulation is more appropriate for undertakings with larger ecosystems, while the systematic risks associated with social media platforms independently are perhaps best regulated under the DSA.
5. Meta’s DMA Compliance in 2026: No safa habour for personalised ads
Meta’s third DMA compliance report is to a large part reproduction of the previous version. While every other gatekeeper has, at some point, followed the Commission’s standardised reporting template, Meta still follows its own design and structure. The relevant 2026 changes concern Art. 5(2), 6(9) and 7 DMA.
5.1. Less personalised ads and Art. 5(2) DMA: This Battle is not Over
Meta’s most controversial compliance measure still concerns Art. 5(2) DMA. The obligation prohibits data combination from different services without qualitative user consent, which directly targets Meta’s lucrative business of targeted advertising. Meta’s first compliance model offered a binary choice between paying for a subscription or consenting to personalised ads (“pay or consent”), which had ended in a non-compliance decision by the Commission, including a fine of EUR 200 million in April 2025 (see our analysis here). The decision was appealed by Meta to the General Court and we expect it to go all the way up to the CJEU. In anticipation of the non-compliance decision, Meta had introduced a new compliance solution, in November 2024, which offered a third alternative with less personalised ads (LPA). This LPA-version featured, however, mandatory ad breaks and complicated consent screens nudging the user to accept personalised advertising (see our analysis here). While this LPA-solution was not directly subject to the non-compliance decision of last year, the Commission already indicated that the choice screen design would be sufficient to see a continued infringement. In its 2026 compliance report, Meta now outlines a new consent user interface, which is supposed to address these concerns (as already announced by the Commission in December 2025). If you expected meaningful changes, we need to disappoint you. Meta does not provide a full visualisation of the consent flow in its report; it seems, however, that it still consists of at least three steps: 1) primary choice screen (subscription vs free), 2) separate agreement screen, and 3) degree of personalisation screen. An effective compliance solution would feature all three options (subscription, personalised ads, and less personalised) on the first (and only) screen to maximise user choice instead of the length of the user interaction. Sometimes compliance can be simple.
Another concern raised was that the choice screen was fully dismissible, so that behavioural biases (“consent fatigue”) could prevent users from opting for the LPA. Meta now announced that the “choice flow will become non-dismissible in March 2026” (p. 16). But will it actually? Further down the report, Meta describes that the choice screen can be dismissed by clicking “OK”, whereby the default (personalised ads) remains (p. 18). Only in January 2027, Meta will require users to exercise an active choice. This strategy of using default biases is likely to play out in Meta’s favour and raises compliance concerns. We do not see a reason, why making a choice should not be immediately mandatory.
Last year’s non-compliance decision hinged on the fact that the LPA option was not an equivalent alternative (as required by Recital 36 DMA). One clear difference between the ad-funded and the subscription-funded version are mandatory ad breaks, which could be a reason to find non-compliance. How does Meta address these concerns? Not at all, it does not mention ad breaks in its compliance report. Their existence can only be derived from looking closely at visualised consent screens, where it says for the LPA option “You may see ad breaks”.
The Commission has announced to seek feedback and evidence from Meta and other relevant stakeholders on the impact and uptake of this new solution. Given the obvious question marks on compliance, we estimate that this battle is far from over.
Quick updates on Meta:
- On the portability obligation of Art. 6(9) DMA, Meta has merged two different portability tools into one, called Export Your Information (EYI), which includes technical improvements.
- The DMA requires Messenger to be usable without being linked to Facebook. The Commission noted, however, that using Messenger is unattractive without being able to use ones Facebook address book. For this reason, Meta now allows users to perform a one-time transfer of their Facebook contacts to Messenger, so that they can seamlessly continue conversations without relying on data sharing with Facebook.
- WhatsApp is now part of the Account Center where data sharing between Facebook, Instagram and WhatsApp can be consented to. Additionally, Meta says it has previewed to the Commission that it is rolling out ads on WhatsApp in the coming weeks. That means the compliance debate on less personalised ads will extend to one more service.
5.2. Art. 7 DMA: From Theory to Practice
A second notable development in Meta’s compliance report 2026 concerns Art. 7 DMA, the horizontal interoperability obligation. While the 2025 report already laid out the theoretical functioning, there was still a lack of competing messaging services that wanted to interoperate. In 2026, major competitors like Signal still declined because of security concerns, but by now new startups were founded to fill the void. BirdyChat (fully launched) and Haiket (in advanced beta testing) are the first messaging apps that are interoperable with WhatsApp and Messenger.
It remains to be seen how users will react to these options and how it will affect the market.
6. Microsoft’s DMA Compliance in 2026: Quantity over Reform
Microsoft once again holds the record for the longest DMA compliance report, clocking in at 434 pages. Yet, for all its detail, the 2026 filing is more of a refinement than a revolution. However, a closer inspection reveals that volume does not equate to transformation. Beyond minor technical tweaks and administrative updates, Microsoft’s 2026 report demonstrates a commitment to maintaining the status quo rather than introducing the deep, structural shifts required to foster a truly contestable digital market.
6.1. The Windows Ecosystem: Minimal Steps Toward Openness
Microsoft’s third DMA compliance report shows unsurprisingly limited improvement, particularly with respect to its 2026 update to its 170-page compliance report regarding its PC Operating System. Only two revisions stand out in this year’s submission, both focusing on the “decoupling” of system components and user choice under Art. 6(3) of the DMA.
Microsoft has officially redesigned Edge as a standalone, uninstallable application within the EEA. Consequently, Edge now manages its own distinct sets of “required” and “optional” diagnostic data (Windows Section 2 Annex, para. 14). However, a critical caveat remains: Microsoft specifies that it may still combine Windows optional diagnostic data with personal data from these specific applications, provided the user has granted consent (Windows Section 2 Annex, para. 13). While this technically satisfies the DMA’s “consent-based” processing requirements, it places the burden of data privacy squarely on the user’s ability to navigate complex “optional” data toggles.
Furthermore, since 7 March 2025, Microsoft has implemented three notable changes to the Windows “one-click” experience to comply with Art. 6(3) DMA requirements for default settings. Windows now offers a simplified pathway for users to change default handlers for file and link types, areas traditionally dominated by Microsoft’s own browser. While this is a step toward “contestability”, the impact is limited to the EEA, creating a bifurcated user experience between European users and the rest of the world.
6.2. The GenAI bypass: Is LinkedIn’s opt-out model a breach of Art. 5(2)?
In a significant update to its User Agreement effective on 3 November 2025, Microsoft announced that LinkedIn would begin using profile data and public posted content of EEA-Based Members to train its generative AI models (LinkedIn Section 2 Annex, para. 586). While Microsoft frames this initiative as a tool to “enhance member experience”, the implementation raises a red flag under Art. 5(2) DMA. Notably, Microsoft has decoupled this GenAI authorization from standard DMA consent settings, employing a “default-on” (opt-out) mechanism. From a regulatory perspective, this architectural choice appears to be a strategic “compliance bypass”. Art. 5(2) was specifically designed to ensure that gatekeepers obtain proactive, explicit, and informed consent before repurposing or combining user data across services. By requiring users to manually navigate an opt-out switch rather than asking for an opt-in, Microsoft’s practice compromises the “free” nature of user choice and risks circumventing the DMA regarding cross-service data processing.
6.3. LinkedIn’s Ad auction formula: Transparency or tech-washing?
Regarding the prohibition of self-preferencing under Art. 6(5), Microsoft has revised that LinkedIn runs an automated auction to determine which ads are shown to members and in what order. To meet the DMA’s mandate for transparent and non-discriminatory ranking, Microsoft disclosed the specific mathematical formula used to determine ad placement:
Under this system, the ad with the highest overall score wins the auction. While the Bid Value is a transparent financial metric, the introduction of the “Member Engagement Value” introduces significant regulatory ambiguity (LinkedIn Section 2 Annex, para. 285). Microsoft defines that the member engagement value aims to account for the longer-term economic value an ad provides to members based on the member’s attributes and behavior on the platform, including interactions with ads. For example, if the member has often engaged with ads similar to one in the auction, that ad would get a higher member engagement value and a greater chance of being shown to that member.
However, despite Microsoft’s attempt to quantify its compliance through a mathematical lens, the Member Engagement Value remains a functional “black box”. Without deeper transparency into how these engagement metrics are weighted, there is a risk that the algorithm could favor Microsoft’s own ecosystem, rendering the formula a tool for “compliance theater” rather than genuine algorithmic fairness under Art. 6(5).
Conclusion
The third year of the DMA compliance reports highlights a systemic friction in the DMA’s implementation: the prevalence of a “check-the-box” approach rather than substantive alignment with the DMA’s objectives. As the discussion above suggests, most improvements remain reactive rather than proactive, with most meaningful shifts occurring only in response to formal non-compliance decisions or pointed regulatory inquiries from the Commission. This pattern indicates that gatekeepers largely view the DMA as a set of constraints to be navigated, rather than as a catalyst for structural change in their platform ecosystems.
Ultimately, relying on gatekeepers to voluntarily deconstruct the “walled gardens” that fuel their dominance appears increasingly idealistic. The future of the DMA will likely depend on the authority’s continued engagement in rigorous, hands-on enforcement.
