On 1 April 2026, the Competition and Markets Authority published its response to the 50+ submissions received during the call for evidence on proposed commitments from Apple and Google concerning app review, app ranking, use of developer data, and (for Apple) interoperable access to functionality within iOS and iPadOS. The CMA’s decision to proceed with revised voluntary commitments rather than formal conduct requirements represents a significant moment in the early life of the DMCCA’s digital markets regime. It is also a moment that merits careful scrutiny, not least because the majority of respondents opposed the approach the CMA ultimately adopted.
by Anush Ganesh
What the CMA Received
The consultation, which ran from 10 February to 3 March 2026, generated responses from 34 individuals and small developers, 15 trade bodies and associations, and 4 large developers. The SCiDA Project was among those responding, alongside organisations including the Coalition for App Fairness (CAF), the Coalition for Open Digital Ecosystems (CODE), ACT/The App Association, Open Web Advocacy (OWA), and the Free Software Foundation Europe (FSFE). The individual responses, now published by the CMA, provide a striking window into the lived experience of developers operating within the Apple and Google ecosystems. Their accounts bring a granularity and urgency that institutional submissions cannot always capture.
The Central Tension: Commitments or Conduct Requirements?
The dominant theme across the responses was clear. The majority of respondents did not support the proposed introduction of commitments and called instead for the CMA to impose conduct requirements under sections 19 to 28 of the DMCCA. Respondents raised questions about the legal basis for the CMA’s approach, expressed concern about enforceability and the implications for the broader regime, pointed to Apple’s and Google’s track record of resistance to regulatory measures across jurisdictions, and argued that the commitments left both firms with excessive discretion.
The CAF was among the most forceful, arguing that the commitments have no statutory basis in the DMCCA and are therefore unenforceable, with no statutory consequences or penalties for non-compliance. CAF emphasised that if Apple or Google fail to comply, the CMA would need to design and consult on conduct requirements from scratch, a process that would add considerable delay. OWA described the commitments as “a gift to Apple and Google,” arguing that allowing dominant gatekeepers to set the terms of their own restraint after years of enforcement difficulties across jurisdictions would not deliver real competition. CODE drew detailed comparisons with the EU’s specification proceedings against Apple under DMA Article 6(7), highlighting the significantly more structured process available in the EU framework, including an independent Interoperability Request Review Board issuing reasoned decisions within 30 working days and an external conciliation stage.
The DMCCA provides for conduct requirements and pro-competition interventions but does not contain an explicit mechanism for voluntary commitments of this kind. While the commitments are not purely voluntary (the CMA has signalled that non-compliance would trigger formal measures), they do not carry the status of binding legal instruments. This creates a regime of soft regulatory pressure that, while offering flexibility and speed, raises concerns about legal certainty for designated firms and third parties alike. By contrast, the EU’s DMA imposes obligations directly upon designation, and Germany’s Bundeskartellamt under Section 19a GWB has similarly favoured binding administrative orders over voluntary undertakings.
A few respondents, including ACT/The App Association, took a different view, welcoming the commitments as pragmatic and capable of delivering swift benefits, and arguing that commitments are more dynamic than formal processes.
The CMA’s Justification
The CMA’s response acknowledged the majority opposition but maintained that commitments are the swiftest and most pragmatic means of addressing the specific transparency and certainty concerns identified. The CMA framed its focus as codifying processes that Apple and Google already have in place, going further in some areas, and ensuring robust reporting mechanisms. It argued that action through commitments would lead to much swifter changes than proceeding through the conduct requirements process, while achieving similar outcomes and freeing up resources for other priorities.
On the legal basis question, the CMA anchored its decision in sections 19 and 25 of the DMCCA, characterising the approach as a proportionate and targeted decision not to impose conduct requirements at this time while keeping the position under review. The CMA also responded to submissions that commitments could not reasonably have been expected given the July 2025 roadmaps, noting its discretionary powers under the DMCCA to reassess priorities as markets and regulatory developments evolve.
The DMCCA was designed to give the CMA a flexible toolkit, and there is nothing inherently objectionable about pursuing informal resolution before formal action where the circumstances justify it. The question is whether the circumstances here in fact do. The CMA itself identified conditions under which commitments would be inappropriate, including where firms have little incentive to change conduct, where compliance is difficult to monitor, and where historical conduct does not give confidence in constructive engagement. Several respondents submitted that precisely these conditions are met in the present case.
Individual Developer Voices
The individual responses published by the CMA offer perspectives that deserve particular attention. These are developers, web professionals, small business owners, and consumers who operate daily within the ecosystems that the commitments seek to address.
Several themes recur across these submissions. There is deep scepticism that voluntary commitments will deliver meaningful change. As one web developer put it, the commitment “reads as coming from an alternative universe in which the past twenty years of damage to businesses like mine, and customers like myself, didn’t happen.” Another described the proposals as offering “no meaningful improvement for UK businesses or consumers” and expressed fear that Apple and Google “could destroy my business in an instant through their market abuse of the platforms.” A small software consultancy lead explained that Apple’s positioning, where it does not commit to providing certainty to developers about what will be made available and when, gives “zero confidence to invest any resource in making things work for iOS.”
Multiple respondents highlighted Apple’s requirement that all browsers on iOS and iPadOS use the WebKit engine as one of the most significant competition concerns. A respondent compared the current state of Safari to the worst era of Internet Explorer, noting that considerable engineering hours are lost across the industry working around deficiencies that Apple introduces through this behaviour. A travel company explained that in 2026 it is targeting browsers from early 2022 due to the long tail of Safari users on old versions, and that Apple’s practice of tying browser updates to operating system updates causes slow rollouts that hold back the capabilities available to web businesses. The CMA has indicated that browser work is planned for 2026, but the commitments do not address this area.
The third theme is interoperability in practice. Respondents raised concrete examples. One described the inability of third-party smartwatches to fully interact with iPhone notifications, contrasting this with the capabilities of the Apple Watch. Another described public transport apps in Spain that are available only on Android because iOS restricts the relevant APIs, creating a situation where consumers who bought an iPhone are excluded from the best fares. An economics-focused respondent characterised the interoperability issue as “possibly the most anti-competitive issue covered by these proposals,” noting that unlike other phone manufacturers, Apple can withhold access to hardware functions to make certain third-party app categories technically impossible, such as NFC payment services that would compete with Apple Pay. This respondent also observed that the criterion of “alignment with Apple’s platform priorities” is so vague it should not be a valid basis for rejection.
Interoperability: The Deepest Divide
The interoperability commitments attracted the most sustained criticism. The large majority of respondents who addressed this area were concerned that Apple’s proposals would not ensure meaningful interoperability and would enable Apple to deny requests on a discretionary basis. Several called for a general default interoperability requirement.
The CMA’s response was clear that its aim is not to create a default interoperability requirement but rather to ensure that Apple fairly and objectively considers requests. The CMA accepted that the “alignment with Apple’s platform priorities” criterion is vague and secured additional detail from Apple, while acknowledging that Apple’s roadmap for feature development may contain legitimate business secrets. The CMA also noted that Apple has now extended the interoperability feedback channel on a worldwide basis, addressing concerns that UK-registered developer account restrictions would exclude the majority of developers serving UK consumers.
However, the CMA declined to require binding timeframes for assessing requests, declined to mandate an independent appeals mechanism, and declined to expand the scope of eligible requests to include functionality that exists technically but is not currently used by Apple. On each of these points, the CMA preferred to rely on monitoring and the prospect of escalation to conduct requirements if the process reveals that Apple is routinely declining requests without good reasons.
This is where the SCiDA Project’s characterisation of the interoperability commitment as fundamentally procedural rather than substantive becomes particularly salient. The commitment formalises a process for requesting and receiving updates on interoperability access, but it does not oblige Apple to grant access in any particular case. The assessment criteria remain subjective and under Apple’s control. This should not be confused with a meaningful interoperability obligation of the kind found in Article 6(7) of the DMA. The CMA’s conditional escalation mechanism is welcome, but its effectiveness depends on the CMA’s capacity and willingness to make judgments about the reasonableness of Apple’s refusals, which will require significant technical expertise.
Changes Secured in the Final Commitments
The CMA did secure revisions from both firms in response to stakeholder feedback, and these should be acknowledged. Apple expanded its data use safeguards to cover data received by virtue of running the App Store, not merely data collected during app review.
Apple clarified that it would not preference first-party apps or unfairly disadvantage third-party apps, and added public reporting on the percentage of app reviews completed within 4 days and the percentage of appeals completed within 60 days. Google committed to enhanced public reporting on median, 99th percentile, and average app review times globally, as well as median time to action complaints.
Google also clarified that it would not preference ranking solely due to the app generating additional revenue. Both firms added non-retaliation text to the final commitments, explicitly acknowledging that developers should be able to engage with regulators and complain without fear of adverse treatment. Both agreed to more prompt confidential reporting to the CMA in the event of data breaches involving third-party data accessed for competitive purposes.
These are meaningful improvements. But they are improvements to a framework that remains voluntary and that the majority of respondents considered inadequate in the first instance.
Monitoring and What Comes Next
The CMA has established a four-limb monitoring approach comprising developer complaint mechanisms, public reporting by Apple and Google, confidential reporting to the CMA, and the use of formal information-gathering powers under sections 69 and 79 of the DMCCA. The CMA will publish regular compliance updates, with an initial update before the end of 2026 and further updates through 2027.
The CMA has also been explicit that it will move quickly to bring forward conduct requirements if the commitments are not adhered to or prove ineffective. If the design of a conduct requirement is based on the commitments, the CMA expects the process to be short. This is a constructive feature of the approach, as the commitments themselves and the reporting data they generate will provide an evidence base for any subsequent formal action.
At the same time, the conditions under which the CMA would transition from monitoring to enforcement remain somewhat vague. Clearer criteria or indicators for what would constitute evidence of ineffectiveness would provide greater certainty for all stakeholders. The CMA’s response did not fully address this point.
The commitments are the first step in a broader programme. The CMA has published an interim step on steering restrictions on the same day, with further measures expected in the first half of 2026. Work on digital wallets and NFC access, browser engine restrictions, and connected device interoperability is also underway. The CMA will continue to monitor AI developments on mobile platforms. These areas, several of which were highlighted as priorities by respondents, will likely attract conduct requirements rather than commitments, particularly where there is significant divergence between the CMA and the designated firms on what is to be achieved.
Conclusion
The CMA’s decision represents a considered exercise of regulatory discretion within the framework of a new and untested regime. There are legitimate arguments for the commitments approach in these specific areas, particularly as a means of delivering immediate process improvements while conserving resources for more contentious interventions. The revisions secured from both firms demonstrate that the consultation process produced tangible results.
However, the decision to proceed despite majority stakeholder opposition, and despite the concerns raised about legal basis, enforceability, and the adequacy of the interoperability framework, places significant weight on the monitoring and escalation mechanisms. If these prove effective, the CMA’s pragmatic approach will be vindicated. If Apple or Google exploit the discretion the commitments afford, or if the monitoring framework proves too slow to detect and respond to non-compliance, the CMA will face questions about whether it should have used its formal powers from the outset.
For those engaged in competition law research, the episode raises important questions about the emerging architecture of the DMCCA regime. The relationship between voluntary commitments and statutory conduct requirements, the role of comparative regulatory developments in shaping CMA practice, the weight given to stakeholder evidence in regulatory decision-making, and the effectiveness of monitoring as a substitute for binding obligations are all themes that will repay careful study as the regime matures.
The SCiDA Project will continue to monitor and analyse these developments as part of its comparative research programme across the UK, EU, and German digital markets frameworks. The first compliance reports from Apple and Google are due by 30 September 2026. What they contain, and how the CMA responds, will be the next critical chapter.
