Gatekeepers Submit their DMA Compliance Reports: Regulatory Complexity Trumps Effectiveness?

For the third time in a row, gatekeepers submitted their compliance reports to demonstrate that they have progressed in terms of the DMA’s enforcement, abiding by the obligation set out in Article 11 DMA. The newly updated version of those reports presents a highly nuanced picture where each regulatory target addresses the topics that the European Commission considers to be conflicting with an effective enforcement of the DMA.

As opposed to other iterations with the European Commission (see previous comments on the first and second year of the gatekeepers’ submission of compliance reports, here and here), it is quite difficult to extract any general trends surrounding the gatekeepers’ compliance strategies. Their exchanges with the European Commission have proved productive in practice; the enforcer does not address broad problems arising from blatant infringements of the DMA. Instead, intricate conversations are held with gatekeepers to address the nuts and bolts of enforcement on the ground. This post covers the main developments that have crystallised in this year’s gatekeeper compliance reports.

A Quick Overview of the Compliance Reports as a Means of Responding to the DMA’s Institutional Design

Article 11 DMA compels gatekeepers to update their technical implementation to the EC (and to third parties, through the non-confidential version) via reporting. All gatekeepers that had their compliance deadline due in March 2026 delivered on the obligation by setting out a detailed account of how they comply with the 23 obligations mandated by the DMA.

Following last year’s approach towards their reporting obligation, the gatekeepers are not particularly innovative in terms of presenting new content relating to how they run their business models in the EU. As a matter of fact, some compliance reports remain completely unchanged but for a couple of sentences here and there. Other compliance reports expand on the See in Table 1 below the number of pages that the compliance reports hold, as opposed to their previous iterations.

Table 1. A comparison of the number of pages in each compliance report submitted by six gatekeepers.

The compliance reporting obligation forms a growing body of paperwork before the European Commission that demonstrates that gatekeepers are reluctant to alter too many aspects of their business models before the impending risk that a particular change to any of their policies might spark the enforcer’s interest and enforcement actions. This is particularly striking for some regulatory targets, such as Amazon, Microsoft or Meta, that have introduced very few changes in terms of their compliance strategies.

Given that the number of pages of the gatekeepers’ compliance reports is not the best indicator to tell apart whether a regulatory target has substantially altered the terms of its compliance strategy, find in Table 2 below the provisions that have suffered changes over the years stemming from their reporting obligations.

Table 2. A comparison of the gatekeepers' compliance reports from the perspective of the transformations they operate.

As opposed to Table 1 above, Table 2 demonstrates a turning point moment for DMA compliance. Year 2 of the regulation’s application (in the 2024-2025 period) was particularly disappointing in terms of the DMA’s progressive application. Year 1 forced all gatekeepers to reflect on their business models and tell apart what parts of their daily operations converged with the regulation’s standards. For the most part, all gatekeepers performed a comprehensive overview of the way in which their services functioned in the EU. That trend was stalled nearly completely in Year 2, when the gatekeepers adopted a wait-and-see approach towards compliance.

Gatekeepers stayed their business models in the EU (against the promises of innovation, one could say) and waited for the force of the European Commission’s enforcement actions against the regulatory targets who were (and are) targeted via non-compliance and specification proceedings. It was (and is!) a question of deterrence. If the EC’s expansive reading of the DMA holds ground before the Courts, then the gatekeepers are forced to apply a tempered-down version of their business strategies in the EU. Every substantial business decision must be previously discussed and receive an informal acquiescence from the EC before it takes any kind of form in the EU markets. If the EU Courts disagree with the EC on the merits of their non-compliance and specification decisions, then a deterrence-free landscape appears before them. Under the environment of plausible deniability, gatekeepers will be able to dodge the DMA’s obligations as much as they did when they faced the application of EU competition rules. The market moves fast, business decisions grow old and some things might get broken in the interim.

Year 3 in the compliance strategies of the gatekeepers sees a turning in the regulatory tide. Although gatekeepers might be reluctant to operate a great deal of change in their business models for the moment being by, for instance, introducing new forms of complying with a particular provision, transformations are taking place in those instances where minimal tweaks to compliance make all the difference.

That is the case, for example, for Alphabet’s approach towards Article 6(4) DMA (the alternative app distribution mandate). Until this year’s compliance report, Alphabet defended that it was not forced to do much in terms of allowing alternative app distribution channels on Android-reliant devices. In previous iterations, three sentences clarified that “Google Android already complied with Art. 6(4) prior to the DMA because it allows users to sideload third-party apps and app stores onto their device, and allows downloaded apps to prompt users to set the app as default. And it already did so prior to the DMA’s adoption” (page 121 of its compliance reports issued in 2025). This is the same message that Alphabet presented on its latest compliance workshop held last year (for a review of the workshop, see here). However, stakeholders and third parties relying on sideloading as their main method to reach end users highlighted that Android’s handling of third-party app stores and apps was certainly sub-par because it introduced too much friction, disincentivising the consumer to opt for an alternative app distribution channel. In this year’s compliance report, Alphabet has finally reacted to the backlash and ensured that it is working on two new measures, notably i) a process to register an app store as a legitimate app marketplace so that users can click on a link from a website and install the app store without too much friction (the Registered App Stores program); and ii) the simplification of the sideloading flow by reducing the number of screens required to grant an app permission to sideload other apps (pages 112-113 of the compliance report).

Against this framework, gatekeepers are still in wait-and-see mode, but it really seems that the constant informal dialogues with the European Commission are working their way up in changing their corporate culture.

Non-Compliance Procedures, Steering and Microsoft’s Creative Interpretation of the DMA’s Provisions

One cannot be exhaustive in detailing what has changed and what stayed the same in this year’s compliance reports (as in any other DMA iteration!). It’s possible, however, to point to three main trends that stand as green, grey and red flags to the DMA’s application.

The European Commission imposed the first fines in the DMA’s history against two gatekeepers: Meta for its breach of Article 5(2) DMA and Apple for its infringement of Article 5(4) DMA (see a comment on those decisions, here and here). Even though the reasoning underlying the non-compliance decisions is certainly clear, the end-result that the enforcer wanted to achieve was less apparent. The enforcer can determine what type of compliance meets the effective enforcement threshold, but it cannot impose the terms of the solutions that will resolve those problems. It is up to the gatekeepers to interpret the instructions given by the EC so that they, in the end, meet the regulatory benchmark.

On Meta’s side, the European Commission followed the EDPB’s lead by stating that “Meta should offer end users of its Facebook and Instagram environments, whose personal data obtained by Meta via its non-ads services is combined with personal data obtained via (…) Meta Ads, with a less personalised, but equivalent alternative to the With Ads option” (emphasis added). The EC built on this statement and fleshed out the characteristics that the less personalised but equivalent alternative should follow, notably that it: i) “should be presented in a neutral manner and choice flows should allow end users to freely choose to opt-in to that alternative”; ii) “to the extent that the alternative involves the servings of advertisements (…), it may not involve the processing of personal data which is subject to the requirements of specific choice and end user consent (…)”; and iii) “(it) should be equivalent to the service for considering users (…), (and) should not be provided against a fee so long as the service for consenting users is not provided against a fee” (para 367 of the non-compliance decision).

Meta’s compliance report precisely introduces this less personalised, but equivalent alternative by updating the choice screens of its pay or consent subscription models. When logging into their Facebook and/or Instagram accounts, users will be prompted to select whether they wish to subscribe to their use without ads (in exchange for €5.99 or €7.99/month, depending on the device type) or whether they wish to use the service free of charge with personalised ads. In essence, the pay or consent subscription model stands, but users choosing to use the services with ads are subsequently forced to “choose the degree to which the ads they receive will be personalised” acting as a “de facto dimmer switch that provides users with the ability to effectively dial back the relevance of the ads delivered to that user” (pages 17 and 18 of the compliance report). The prompt shown to users is included in Image 1 below:

Image

Imagen 1. The Meta Ads less personalised alternative choice screen, extracted from page 18 of Meta's compliance report.

The prompt is further complemented by other adjustments that the end user can make to, for instance, control the information provided to Meta by third-party ad partners about an end user’s activity for the purposes of showing an ad (pages 21 and 22) or choose whether they want to be displayed fewer ads relating to certain topics (pages 22-24). The change, announced in January 2026 by the European Commission, perpetuates the pay or consent subscription model, which it heavily criticised on its non-compliance decision on the basis that it did not “enable users to freely give consent to the combination of their personal data from Meta’s non-ads services with personal data from Meta Ads, within the meaning of Articles 4(11) and 7 GDPR” (para 271 of the non-compliance decision).

Needless to say, the current technical implementation is hardly addressing the questions of law raised by the European Commission on its non-compliance decision, i.e., how Meta tackles the imbalances of power and detriment caused to consumers (para 241). At the very least, Meta’s compliance report illustrates the need for further steps to be taken by the European Commission in terms of how consumer data is combined across its data infrastructure and for what purposes. On top of that, Meta’s decision to scrape data from its Facebook and Instagram to feed its large language model is nowhere to be seen in the compliance report (illustrating the problems in terms of Article 5(2), see our comment here).

On the front of Apple’s response to the European Commission’s enforcement action, its implementation of Article 5(4) DMA does not seem particularly surprising (nor compliant with the terms of the EC’s non-compliance decision, as I argued here). In contrast with the Meta case, the EC’s analysis of Apple’s implementation of the steering mandate under Article 5(4) was much more nuanced and, in the end, it set out a list of high-level principles that its future compliance solution should include. Those principles included, for example, that Apple should “ensure that any potential remuneration for facilitating the initial acquisition of end users by the app developers: i) is related to the initial acquisition only, both in terms of time and scope, which means that it cannot be extended to already acquired end users; ii) is commensurate to the value of the initial acquisition and must take into account any other, direct or indirect, remuneration received from business users for facilitating the initial acquisition and; iii) does not remunerate the gatekeeper for gatekeeper value. Apple is prohibited from imposing any other type of fee (in addition to a potential fee for initial acquisition) that covers services linked to the acquisition of end users” (para 312 of the non-compliance decision, see here a review of the non-compliance decision).

As it announced back in June 2026 on its compliance workshop, Apple introduced a new fee structure when developers communicate and promote offers, inside or outside their apps. Four types of fees will be applied (which seem an awful lot more than the EC initially expected). First, the initial acquisition fee will be charged “when an end user purchases a digital good or service using an actionable link from the developer’s app within a 6-month period after the user’s initial unpaid download of the app” to account for “the capabilities the App Store provides when connecting developers with end users in the EU” (page 64 of the compliance report). The fee amounts to 2% of the transaction performed by the end user. Second, the store services fee is applicable “on all sales of digital goods or services using an actionable link that occur within a 12-month period from the date of any install, including app updates and reinstalls”. Depending on the tier selected by the app developer (between tier 1 or tier 2), the fee will amount to 5% or 13% on the transactions performed by the end user on third-party apps (pages 64 and 65 of the compliance report). Third, the Core Technology Commission, which reflects the “value Apple provides developers through ongoing investments in tools, technologies and services that enable them to build and share innovative apps with users”. It charges a 5% commission on sales of digital goods or services using an actionable link that occur within a 12-month period from the date of an install, including app updates or reinstalls (page 65). Fourth, the Core Technology Fee that applies to developers on the New Business Terms (i.e., those developers that, for instance, do not depend on the App Store because they distribute their apps through alternative channels) and charges €0.50 for each install of their apps (page 65). A summary of those fees can be found in the image below:

Image

Imagen 2. Apple's current fee structure, extracted from its own website in June 2025.

On its compliance report, Apple announced that it has “proposed further changes to its business terms” but has yet to implement them as it is “engaged in ongoing constructive conversations with the EU about those proposed changes”. The European Commission is still reviewing Apple’s fee structure (not only through steering, but more broadly) under a separate non-compliance procedure under Article 6(4) DMA.

From the perspective of Article 5(4) DMA, Apple’s compliance strategy defies the high-level principles set out by the European Commission, given that it charges the developers thrice for steering their users (at the very least, through the initial acquisition, store services and Core Technology Commission), well beyond the fair remuneration it can earn to compensate for materialising the initial acquisition of the end user for the app developer. Apple’s compliance strategy has already brought its consequences, not only for its own business and end users, but also in incentivising other gatekeepers, such as Google, to follow their lead and charge the same types of fees stemming from steering (see Google’s approach here, not mentioned in its compliance report).

On this same point of ‘following’ the EC’s instructions, Apple’s approach towards the vertical interoperability mandate under Article 6(7) DMA demonstrates a fundamental rework of its previous approach to interoperability, abiding by the implementation measures that the enforcer has set out in its two specification proceedings (see here and here). The gatekeeper pays close attention to those implementation measures and integrates them into its way of doing things in terms of interoperability (pages 184-204 of Apple’s compliance report). One can get a sense of whether those implementation measures are working in practice, since Apple also included in its compliance report the wide array of KPIs that the EC forced it to disclose in the specification proceedings (pages 297-299).

On the front of the green flags, the DMA’s implementation is delivering some of the results that its adoption promised. For instance, Meta confirmed that it has partnered with two third-party messaging services, BirdyChat and Haiket, to implement its interoperability under Article 7 DMA (para 59 of Meta’s compliance report). BirdyChat is a chat app built for professionals, designed to separate work from personal life, which has not yet launched its service but has integrated with WhatsApp. BirdyChat’s example demonstrates that operators might also see the opportunities opened by Article 7 DMA as a window to propose new use cases that work especially well with the interoperability solution. Questions still remain on whether Meta’s design of its compliance solution under Article 7 DMA meets the demands of existing competitors, which could actually contest WhatsApp’s position in the market.

Compliance solutions that already met the effective enforcement threshold in the past are also reconsidered by gatekeepers, due to the EC’s pressure to do more. For instance, Google has finally tweaked its approach in implementing Article 6(3) by proposing to build a central default switch for online search engines on Android devices, which will allow users to switch their default search engine from the default apps menu in Settings. The user’s choice will propagate to the online search engine widget on the device home screen. The gatekeeper is also building functionality to allow online search engine apps on Android to prompt their users to be set as a default (page 126 of Alphabet’s compliance report).

Apple introduced similar changes on its iOS once the European Commission triggered a non-compliance procedure for a breach of Article 6(3) DMA. The enforcer dropped the charges against Apple after their introduction. In this sense, we’re already seeing that the European Commission’s approach in interpreting one of the provisions with regard to one of the gatekeepers might mirror the compliance solutions offered by another one.

As a matter of fact, collaboration between gatekeepers may also reinstate some of the formerly closed-off dynamics that worried regulators and competition authorities. Apple and Google are working in partnership to develop a device-switching solution to facilitate and streamline end users’ switching from iOS to Android and vice-versa (para 34 of Alphabet’s compliance report). A beta version of the solution was released in December 2025. The technical implementation will counter one of the features that steered users to one of the two main operating systems within the duopoly: the lock-in within one ecosystem or the other. As reported by competition authorities, learning costs and difficulties transferring data meant that the number of users switching from an iOS to an Android device or vice-versa was negligible (between 5-8% of users). Depending on the final roll-out of the switching functionality, the partnership may amount to one of the most consequential transformations in terms of lowering barriers to switching devices. In turn, one always wonders whether the technical implementation may operate in favour of the existing duopoly, to the extent that switching will be easy between their devices, but operate against the rest of their competitors’ opportunities to compete in the market. Instead of a walled garden and a semi-open ecosystem, the transformation may operate as an expansion of the walled garden where its fences encompass both gatekeepers’ ecosystems.

Due to pressure from stakeholders (and most prominently, from Open Web Advocacy), the gatekeeper finally budged and agreed to place the icon of the browser selected by the user as a default from the choice screen displayed according to Article 6(3) DMA in the hotseat of new Pixel devices (page 125 of Alphabet’s compliance report) (although not on all Android devices). This demonstrates the importance of holding gatekeepers to account in their compliance workshops and the need for transparency in decision and policymaking when it comes to capturing their conduct in one way or another.

Considering that we have gone through the green and grey flags, let’s now consider the red flags that promise to bring some heat under Microsoft’s feet. Despite the fact that Microsoft had been the most well-considered gatekeeper for the moment being, due to its propensity to flesh out its compliance solutions in detail and abide by the terms of the DMA, the most preoccupying developments that have taken place in the last wave of compliance reports precisely come from this gatekeeper.

On one side, the gatekeeper has announced in its compliance report (on its Annex relating to its LinkedIn service), that it is expanding the purposes of its consent mechanism under Article 5(2) DMA. In December 2024, it introduced a GDPR opt-in consent mechanism for members to consent to LinkedIn’s processing of certain categories of personal data, which is the opt-in consent that it also applies in compliance with Article 5(2)(a) DMA (page 3 of Microsoft’s compliance report). Although the gatekeeper does not explicitly recognise the change on its compliance report, some of the purposes of the consent mechanism have been expanded, notably LinkedIn’s use of data to improve its aggregate models that optimise the relevance of its ads. When expanding these purposes, Microsoft risks making the consent granted by the user as non-specific and nudge users into broader data sharing than the DMA initially intended to allow via Article 5(2) DMA.

On the other side, Microsoft introduces several complex-to-understand tenets to its approach towards Article 6(3) when it comes to its Windows PC operating system (on its Annex relating to this service). Even though changes were introduced in March 2025 (but not reported at that time), Microsoft acknowledges that it “provides a simplified way to change defaults for file and link types (that are) commonly handled by browsers” (page 77 of Microsoft’s compliance report). On new devices, Edge is configured as the default for each of these link and file types. By shipping every new Windows PC with Edge pre-configured for every possible link and file type, Microsoft ensures it captures the vast majority of the market share at the moment of first use. The fundamental problem across both instances is a strategy of adversarial transparency, where Microsoft uses the sheer technical complexity of its compliance reports to camouflage substantive shifts that actually entrench its market power.

Key takeaways

The third year of the gatekeeper’s DMA reporting reveals a regulatory landscape that has shifted from broad transformation to a granular battle over the nuts and bolts of implementation. While the growing volume of documentation suggests a commitment to transparency, the reality is far more ambivalent. We are seeing a turning of the regulatory tide where gatekeepers have moved past their initial wait-and-see approach, not necessarily to embrace the spirit of the law.

Whether it is Alphabet finally simplifying sideloading after immense stakeholder pressure, or Apple re-engineering steering-justified fee structures to bypass the core of the EC’s non-compliance decision, the trend is clear: gatekeepers are using technical and legal complexity as a defensive shield. Therefore, the DMA’s effective enforcement will depend on the enforcer’s ability to pierce through the gatekeeper complexity bubble and ensure that their compliance solutions result in a genuine enhancement of contestability and fairness, rather than creating a more sophisticated walled garden.