Digital firms are subject to general competition and consumer protection laws applicable to all firms (e.g., the Treaty of the Functioning of the European Union (“TFEU”), European Union Merger Regulation, and General Data Protection Regulation).

The European institutions have adopted two main regulations to govern the conduct of digital firms: the Digital Markets Act (“DMA”) and the Digital Services Act (“DSA”). These regulations form part of the European Commission’s wider “Digital Services Act Package” which aims to “establish a level playing field for businesses” and to “create a safer digital space where the fundamental rights of users are protected.”¹

The DMA marks a paradigm shift in the regulation of digital markets, giving the Commission unprecedented powers to regulate large digital platforms. It formulates a series of behavioral “dos and don’ts” for “gatekeeper” platforms that are inspired by past and current competition cases and that are considered important to protect and enhance competition in digital markets. The DMA entered into force on November 1, 2022, and its behavioral rules will become operational during Q1 of 2024.

The DSA, in turn, seeks to improve user safety online and ensure accountability of platforms for content that they transmit, host, or publicly disseminate. It formulates rules for digital intermediaries relating to exemption from liability for content, due diligence obligations, and oversight of content moderation activities. The DSA’s rules are expected to become operational during Q1 of 2024.

The final text of the DMA was approved by the European Parliament and subsequently ratified by the European Council in July 2022. The DMA was published in the Official Journal on October 12, 2022, and it formally entered into force on November 1, 2022.

Key future dates include:

• Gatekeepers will have to notify their “Core Platform Services” (“CPSs”) that meet applicable business and end user thresholds by July 3, 2023.
• The Commission will issue decisions to designate CPSs by September 6, 2023.
• The DMA’s substantive rules will become operational six months later, between January and March 2024. (The rules on mergers, discussed below in Question 14, will enter into force earlier, as the Commission designates platforms as gatekeepers, between July 3 and September 6, 2023.)

The final text of the DSA was approved by the European Parliament and subsequently approved by the European Council in early October 2022. It is expected to be signed by the Council and European Parliament at the end of October 2022. The DSA will formally enter into force twenty days after publication in the Official Journal.

Key future dates include:

• Providers of online platforms and search engines must publish data on their average monthly active service recipients (i.e., end users and business users) three months after the DSA enters into force (likely February 2023). Based on this publication, the Commission may designate them as “Very Large Online Platforms” (“VLOPs”) or a “Very Large Online Search Engines” (“VLOSEs”).
• The Commission will then issue decisions to designate VLOPs and VLOSEs. Firms designated as VLOPs and VLOSEs will have four months following the Commission’s designation decision to comply with the relevant DSA obligations.
• The DSA’s substantive rules will start applying to all other online intermediary service providers during Q1 of 2024.

The Commission will be the sole authority empowered to enforce the DMA, though private parties may be able to bring actions based on the DMA before civil courts for some of the rules (see Question 15).

Designation process. Firms need to be designated as gatekeepers for the DMA’s rules to become applicable. Only the specific services designated as CPSs are subject to the DMA’s behavioral rules. The process for designation is as follows:

• Gatekeeper notification. If a firm operates one of the CPSs listed in the DMA that meets the quantitative thresholds under Art. 3 (see further Question 4), it must notify the Commission within two months that it falls within the scope of the DMA.² In their gatekeeper notifications, firms can seek to rebut the presumption of gatekeeper status, albeit the DMA says that this would happen only in “exceptional circumstances”. The DMA also explains that the Commission will not consider arguments against designation based on market definition or economic efficiencies.³
• Gatekeeper designation. The Commission must designate a firm as a gatekeeper within forty-five working days after receiving the firm’s gatekeeper notification.⁴
• If a firm has sought to rebut the gatekeeper presumption, but the Commission does not believe the arguments to be “sufficiently substantiated," it must reject the rebuttal within forty-five working days after receiving the firm’s gatekeeper notification.⁵
• If a firm has sought to rebut the gatekeeper presumption, and the Commission believes the arguments to be “sufficiently substantiated," it may launch a market investigation within forty-five working days.⁶ The Commission should communicate its preliminary findings within three months and complete the investigation within five months.⁷
• The Commission may also launch a market investigation to determine whether a CPS should be designated despite the service not meeting the quantitative thresholds.⁸ The Commission should communicate its preliminary findings within six months and complete the investigation within twelve months.⁹
• Compliance. Firms will have six months to comply with the DMA’s behavioral rules following the Commission’s designation decision.¹⁰ Within this timeframe, gatekeepers must submit to the Commission an independently audited description of any consumer profiling techniques that it applies to or across its CPSs.¹¹ They should also submit a report describing their compliance with the behavioral rules in Arts. 5-7.¹²

Further specification process. The behavioral rules set forth in Arts. 5 to 7 of the DMA apply directly and are self-executing, without further specification by the Commission.

That said, gatekeepers may request the Commission to engage in a process to determine whether the gatekeeper’s measures comply with the behavioral obligations set out in Arts. 6 and 7 (but not Art. 5).¹³ The Commission has the discretion to decide whether to engage in this process in line with general principles of equal treatment, proportionality, and good administration.

If the Commission wants to specify measures the gatekeeper must implement to comply with Art. 6 or 7, it must first adopt a decision opening formal proceedings.¹⁴ Within six months of this decision, it may then adopt an implementing act specifying the measures that the gatekeeper must implement to be compliant.

This engagement process, however, does not prevent the Commission from adopting a non-compliance decision or imposing fines.

Enforcement process. The Commission may at any stage issue a request for information to a firm, carry out interviews with consenting natural or legal persons, and conduct physical inspections.¹⁵

Where the Commission suspects that a gatekeeper may not be complying with the DMA’s rules, its enforcement practice will likely follow these steps:

• Opening of proceedings. The Commission must adopt a decision opening formal proceedings when it intends to investigate potential non-compliance.¹⁶
• Statement of objections. If the Commission considers adopting a non-compliance decision, it must communicate its preliminary findings to the gatekeeper and set out its proposed remedies in a statement of objections. The Commission may also consult with third parties.¹⁷
• Response to statement of objections and access to file. Gatekeepers will be permitted to respond to the Commission’s preliminary findings.¹⁸ They will also be able to receive access to the Commission’s file (see Question 9).¹⁹
• Non-compliance decision. The Commission must aim to publish a non-compliance decision within twelve months from the opening of proceedings where it considers that a gatekeeper has infringed the DMA’s rules.²⁰ The Commission may impose fines (see Question 10).²¹ The DMA does not set out a timeline for the Commission to adopt a decision finding no violation.
• Response to non-compliance decision. In response to a non-compliance decision, the gatekeeper must explain how it intends to bring the infringement to an end within the deadline specified in the Commission's decision.²²
• Appeal. Commission decisions are subject to appeals before the EU courts by the addressees of those decisions but they do not automatically have suspensory effect (see Question 9).
• Investigations into systematic non-compliance. The Commission may also launch a market investigation to assess whether a gatekeeper engages in systematic non-compliance (i.e., where the Commission has issued at least three non-compliance decisions within a period of eight years). The Commission must communicate its preliminary findings to the gatekeeper within six months (including what remedies it considers may be necessary and proportionate) and conclude the investigation within twelve months.²³ If the Commission finds a gatekeeper to have engaged in systematic non-compliance, the Commission may impose behavioral or structural remedies on the gatekeeper (see Question 10).²⁴

The DMA applies to platforms that operate as gatekeepers between business users and end users and that hold an “entrenched and durable position.”

To be a gatekeeper, a firm must operate at least one CPS in at least three member states. CPSs are defined based on a broad list of services: online intermediation services (e.g., online marketplaces and app stores), search engines, social networks, video-sharing platforms, number-independent interpersonal communication services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services.²⁵

If a firm operates a CPS, it will be presumed to be a gatekeeper if it meets three cumulative criteria:²⁶

• Financial threshold. The firm’s group must have an annual EU turnover of at least EUR 7.5 billion in each of the last three financial years or an average market capitalization amounting to at least EUR 75 billion in the last financial year.
• End users and business users. The CPS must have at least 45 million monthly active end users (“MAUs”) established or located in the EU and at least 10,000 annual active business users established in the EU. The DMA’s annex provides a methodology and indicators for calculating MAUs and business users, per CPS category.
• Lasting basis. The quantitative thresholds for end users and business users must be met in each of the last three financial years.

Even if the presumption of gatekeeper status does not apply, the Commission can designate firms offering CPSs as gatekeepers on the basis of qualitative criteria, albeit this is a longer process requiring an up to twelve month market investigation.²⁷

The Commission must, under the qualitative designation procedure, establish that the firm in question has a significant impact on the market and operates a CPS that is an important gateway and that enjoys an entrenched and durable position.

The DMA sets out a series of factors that the Commission must take into account, at least in part, to qualitatively designate a gatekeeper.²⁸ Examples include the size and turnover of the firm, CPS user figures, network effects and data-driven advantages, benefits arising from scale and scope, and lock-in effects.

The DMA also allows firms providing CPSs, in exceptional circumstances, to rebut a presumption of gatekeeper status.²⁹ The DMA states that arguments related to market definition or efficiencies will not be taken into account as part of this assessment.³⁰ As discussed in Question 3, the Commission may reject these arguments within forty-five working days after the firm’s gatekeeper notification or launch a market investigation that should take up to five months.³¹

Once a firm is designated as a gatekeeper, it must comply with the DMA’s behavioral rules for each of its CPSs that satisfy the quantitative thresholds. In other words, the DMA is not “all in” such that once a firm is designated as a gatekeeper, the DMA’s rules would apply to all its products or services. Rather, only the specific products or services designated as CPSs are subject to the DMA’s rules. This feature of the DMA contrasts with some other digital regulatory regimes, such as Section 19a of the German Competition Act.

The DMA sets out three sets of behavioral obligations with which gatekeepers must comply. The first set of obligations is presented as being “specific” (Art. 5), while the other two are described as being open ended and capable of further specification by the Commission (Arts. 6 and 7). In practice, the difference between these obligations is reasonably minor: all rules appear to apply directly and are self-executing.³²

Some of the DMA’s rules apply to all CPS categories. For example:

• Prohibition on combining or cross-using personal data obtained by a CPS with data obtained by other services without the user’s consent (Art. 5(2)).
• Prohibition on using non-publicly available data of business users of CPSs to compete with the business users (Art. 6(2)).
• Requirement to provide end users of CPSs, free of charge, with the ability to port their data to other platforms (Art. 6(9)).

Other rules apply to specific categories of CPS. For example:

• Requirement to allow end users to uninstall apps from a CPS operating system (Art. 6(3)).
• Requirement to enable users to easily change defaults and to show choice screens on their CPS operating systems for choosing virtual assistants, web browsers and online search engines in certain circumstances (Art. 6(3)).
• Prohibition on CPS search engines, online intermediation platforms, social networking services, virtual assistants, and video sharing platforms to treat first party services more favorably in ranking compared to similar third party services (Art. 6(5)).
• Requirement for CPS operating systems and virtual assistants to give third party service providers and hardware providers, free of charge, interoperability with and access to the same hardware and software features as to the gatekeepers first party products (Art. 6(7)).
• Requirement for CPS online search engines to share anonymized ranking, query, click, and view data with rival search engines on a fair, reasonable, and non-discriminatory basis (Art. 6(11)).
• Requirement to make the basic functionalities of a number-independent interpersonal communications services interoperable with rival services “by providing the necessary technical interfaces or similar solutions that facilitate interoperability” (Art. 7).

For a summary of all the DMA's rules, see the Annex at the end of this Chapter.

There are no rules in the DMA regulating the relationship of online platforms and news publishers. In particular, contrary to some demands raised during the legislative process, there are no obligations for platforms to pay news publishers for content that appears on their CPSs.

While some have suggested that Art. 6(12) might require gatekeepers to pay news publishers for the display of content, Members of Parliament that were involved in the negotiation of the DMA’s text have clarified that this is not the case.³³

Not expressly. The Commission does not need to establish the competitive effects of gatekeeper’s conduct in order to establish a breach of the DMA’s behavioral rules. The Commission will, however, need to consider firms’ arguments that the conduct in question either is not covered by the scope of the rule, falls under the narrow grounds for suspension or exemption in Arts. 9 and 10 of the DMA, or is proportionate given the DMA’s overall objectives.

In addition, the DMA is subject to the overall principle of proportionality (see Question 8).

The DMA does not explicitly allow for efficiency justifications and only provides for narrow grounds for suspension or exemption:

• Suspension, if the obligation puts the “viability” of the service at risk “due to exceptional circumstances beyond the control of the gatekeeper," which is a high bar.³⁴ Suspension may be subject to conditions and obligations defined by the Commission.
• Exemption, on grounds of public health or public security.³⁵

In practice, however, the DMA must be interpreted, applied, and enforced based on the fundamental principle of proportionality.³⁶ The Commission's measures must therefore be appropriate and necessary to achieve the objectives of the DMA. Where there are numerous appropriate measures, the least onerous measures should be used, and the disadvantages of the measures must not be disproportionate to the aims pursued.³⁷

Accordingly, gatekeepers should be able to rely on the principle of proportionality to justify their conduct under the DMA. Proportionality is a general principle of EU law, and it is therefore implied that proportionality has to be considered by the Commission in each individual case.

Finally, several rules explicitly import concepts of fairness, reasonableness, or proportionality, and therefore by implication allows for justification on those grounds. Such rules include:

• Art. 6(3), which carves out the uninstallation obligation for apps that are essential for the operating system or device and are not offered on a standalone basis by third parties;
• Art. 6(5), which refers to fair conditions of ranking;
• Art. 6(7), which refers to necessary and proportionate measures to ensure interoperability while not compromising the integrity of the CPS or its associated hardware and software;
• Art. 6(11), which refers to fair and reasonable conditions of access to search data; and
• Art. 6(12), which refers to fair and reasonable access to app stores, search engines, or social networks.

Ahead of adopting any decision under the DMA (e.g., non-compliance, fines, commitments, suspension, exemption, market investigation), the Commission must inform the gatekeeper of its preliminary findings and measures that it may propose in light of its preliminary findings. The Commission will provide the gatekeeper with a deadline (at least fourteen days) within which it may respond to the Commission’s preliminary findings.³⁸

Gatekeepers are entitled to have access to the Commission’s file subject to the legitimate interests of undertakings in the protection of their business secrets. The right of access does not extend to confidential information and internal documents of the Commission or the NCAs.³⁹

Gatekeepers will be able to appeal the Commission’s decisions under the DMA before the EU courts. The EU courts will conduct a full review of the facts and law underpinning the Commission’s reasoning, and the normal processes can be expected to apply (e.g., there is no bar on private parties adducing new evidence before the EU Courts).⁴⁰

In traditional competition cases, the Commission has enjoyed a margin of discretion when it comes to complex economic assessments, such as market definition and dominance.⁴¹ When it comes to the DMA, however, there is not expected to be such a margin of discretion because the DMA is supposed to avoid complex economic assessments in favor of simple rules.

Appeals before the EU courts will not have automatic suspensive effect unless interim measures are granted. Parties can apply for interim measures. The test for granting such measures is whether the appeal gives rise to a prima facie case and there is urgency because implementing the decision gives rise to a risk of serious and irreparable harm.

Non-compliance with the DMA’s rules can lead to fines of up to 10%ㅡor, in the event of repeated infringements, up to 20%ㅡof annual global turnover.⁴² The Commission may also impose behavioral and structural remedies in the case of systematic infringements (i.e., where the gatekeeper violates the rules at least three times in eight years).⁴³

In instances where there has been a breach of the procedural framework (e.g., failure to provide the Commission with complete and accurate info, including notification for gatekeeper designation), gatekeepers can be fined up to 1% of global annual turnover.⁴⁴

There is no personal or criminal liability under the DMA.

The Commission has the power to issue guidance to assist gatekeepers in the implementation of their obligations under the DMA, but it has not yet done so.⁴⁵ The Commission is expected to publish draft guidance for consultation in November 2022, before finalizing the guidance in early 2023.

The DMA is principally competition based and many of its behavioral rules have been inspired by previous competition cases. Its rules touch on conduct relating to a range of issues, such as privacy, data usage, and consumer protection issues.

The EU is separately introducing new regimes to tackle other areas of concern in digital markets. The Digital Services Act seeks to improve user safety online (particularly in relation to illegal content), transparency, and the accountability of online platforms. The Data Act intends to regulate online platforms’ data practices, provide users and businesses with greater control over their data, and create a harmonized framework for data sharing within the EU.⁴⁶

Many of the DMA’s rules are inspired by the European Commission’s previous competition decisions or ongoing investigations. For example:

• Apple Pay investigation. The Commission has issued a statement of objections in its investigation into whether Apple has abused its dominance by limiting access to the near-field communication technology used for contactless payments on mobile devices only to Apple Pay.⁴⁷ This investigation inspired the DMA’s interoperability obligation for operating systems and virtual assistants (Art. 6(7)), along with the workgroup server case against Microsoft.
• Apple App Store investigation. The Commission is investigating concerns that Apple mandates the use of its proprietary in-app billing system by app developers on iOS and restricts the ability of iOS app developers to inform users of alternative payment methods outside of apps via anti-steering provisions.⁴⁸ This investigation inspired the DMA’s anti-steering provisions (Arts. 5(4) and 5(5)) and the ban on app stores requiring the use of first party payment systems by app developers (Art. 5(7)).
• Amazon Marketplace investigation. The Commission is investigating Amazon’s use of non-public data related to its third party sellers to compete with them as a retailer on its own online marketplace, its criteria for selecting which product offer is placed in the “Buy Box”, and which sellers can list products under Amazon’s “Prime” label on its marketplace.⁴⁹ Amazon has offered commitments and negotiations are ongoing.⁵⁰ This inspired the DMA’s rule prohibiting the use of business users’ data to compete with them (Art. 6(2)).
• Google Shopping decision. The Commission found that Google had abused its dominance by positioning and displaying Google Shopping more prominently than rival comparison shopping services in its general search results pages. The General Court partly upheld the Commission’s ruling.⁵¹ Google is appealing the decision to the Court of Justice. This decision inspired the DMA’s non-discriminatory ranking obligation (Art. 6(5)).

Art. 14 DMA requires gatekeepers to inform the Commission of all intended mergers and acquisitions “where the merging entities or the target of concentration provide core platform services or any other services in the digital sector or enable the collection of data,” regardless of whether these transactions meet EU merger control thresholds.⁵²

In practice, Art. 14 means that gatekeepers should inform the Commission of substantially all of their transactions prior to closing. But the Commission does not need to make a clearance decision under Art. 14 before a gatekeeper can close a deal.

Art. 14 is designed to help the Commission review transactions that fall below the jurisdictional thresholds of the EU Merger Regulation by making it easier for NCAs to create jurisdiction for the Commission through referrals under Art. 22 of the EU Merger Regulation. The Art. 22 route allows the Commission to review transactions that do not meet EU or national merger control thresholds, even post-closing, within strict time limits.

EU law provides for the ability of parties to invoke EU regulations before national courts if the rules in question are sufficiently precise and unconditional and confer rights to individuals.⁵³ At least some, but not necessarily all, of the DMA’s behavioral rules may meet these conditions. The DMA, accordingly, formulates rules for “proceedings for the application” of the DMA before national courts (e.g., the right of the national court to ask the Commission for an opinion, the obligation to transmit judgments, and the right of the Commission to intervene in such proceedings).⁵⁴

National courts will, however, not have the power to impose fines or to designate gatekeepers, which will be reserved for the Commission.

Behavioral rules susceptible to private litigation might include rules listed under Art. 5. By contrast, it is more questionable whether the rules under Art. 6 and 7 are sufficiently precise for private litigation because the DMA recognizes that these rules require further specification.

The recent Court of Justice judgment in DB Station & Service AG may have implications for private enforcement of secondary EU legislation such as the DMA.⁵⁵ On one reading, the judgment suggests that before a private action could be taken, there needs to be a decision of the competent sectoral regulator. The consequences of this judgment are still being assessed.

As the Commission will be the sole enforcer of the DMA, national competition authorities (“NCAs”) will not be able to adopt gatekeeper designation or infringement decisions under the DMA. However, the DMA provides for NCA involvement in supporting enforcement and investigating potential DMA infringements. In particular:

• The Commission may consult NCAs on any aspect of the DMA.⁵⁶
• The Commission will have the ability to ask NCAs to support its market investigations under the DMA.⁵⁷
• NCAs may investigate cases of potential non-compliance under Arts. 5, 6, and 7 of the DMA in their own territories provided that Commission is not investigating the same conduct.⁵⁸
• NCAs will be competent to hear complaints by third parties about non-compliance with the DMA.⁵⁹
• Once a gatekeeper informs the Commission of an intended acquisition under Art. 14(1) (see Question 14), the Commission must share that information with NCAs.⁶⁰ NCAs may then request the Commission to analyze the concentration under Art. 22 of the EU Merger Regulation.⁶¹

While the DMA does not set out a specific complaint handling procedure, third parties may inform the Commission or NCAs about any conduct that may infringe the DMA. The Commission and NCAs retain full discretion to decide whether or not to investigate the conduct in question.⁶²

The DMA also provides for third party involvement at various stages of the enforcement process. In particular:

• Third parties may provide comments ahead of the Commission adopting any specifying measures that the gatekeeper must implement to comply effectively with specific Art. 6 or 7 obligations.⁶³
• Third parties may be consulted before the Commission implements a non-compliance decision.⁶⁴
• Third parties may provide comments prior to the Commission adopting any commitments to address non-compliance.⁶⁵
• The Commission may consult third parties during a market investigation into whether to expand the list of CPSs or gatekeeper obligations.⁶⁶
• Third parties may provide comments ahead of the Commission adopting an implementing act.⁶⁷

Forthcoming implementing legislation may specify the position of complainants and interested third parties in more detail.

Yes, the Commission may conduct a market investigation to examine whether other services in the digital sector should be added to the list of CPSs or whether new obligations should be included in the DMA. The Commission must aim to publish a report outlining the findings of its investigation within eighteen months from the opening of the investigation. It may then make a legislative proposal to the European Parliament and Council to add further CPSs or new obligations to the DMA.⁶⁸