Understanding the European Digital Markets Act (DMA law) and its impact on businesses

The European Union’s Digital Markets Act (DMA) is one of the most significant regulatory developments since the introduction of the General Data Protection Regulation (GDPR). Its focus on fairness, transparency, and competition is reshaping the way that the designated gatekeepers, businesses, developers, and users work, play, and otherwise interact in the online ecosystem.

For businesses, understanding the DMA is not explicitly about avoiding fines. But it is about future-proofing marketing and data privacy practices to align with ongoing developments in the gatekeepers’ policies. Few companies doing business in global digital markets can risk losing access to the ads, analytics, and other platforms they rely on.

Understanding the DMA is also about preparing for long-term structural changes in how digital platforms operate, how businesses reach customers, how companies can exercise influence, and how user rights are enforced.

We look at the DMA and its impact on data privacy requirements (including consent management), the evolution of web technologies, and the effects on businesses of different sizes, maturity, and industries.

Key takeaways

• The Digital Markets Act (DMA) is an EU regulation to ensure fairness, transparency, and competition in digital markets.
• DMA timeline: EC submits DMA proposal to European Parliament in December 2020; DMA text adopted in December 2021; formally adopted in July 2022; DMA comes into force May 2023; noncompliance investigations begin in March 2024.
• Designated gatekeepers to date are large online platforms: Alphabet (Google), Apple, Meta (Facebook), Amazon, Microsoft, Booking.com, and ByteDance (TikTok.)
• Business impacts: Startups and SMBs gain opportunities, plus there are more data privacy protections for consumers. Large enterprises have to manage compliance risks.
• Stronger rules for consent management, including related to cookie banners, CMPs, and user consent flows.
• Web development: Mandatory requirements for gatekeepers including interoperability, APIs, and alternative payment systems.
• User data privacy: Enhanced rights for data access, portability, and transparency under the DMA and GDPR.
• Compliance roadmap: Gatekeepers need to audit practices, update CMPs, monitor gatekeeper changes, and stay proactive. To maintain compliance, these companies have passed down policy requirements to other companies using their platforms.

What is the Digital Markets Act?

The Digital Markets Act (DMA) is an EU regulation designed to enhance data privacy, control the influence of large global tech companies, and ensure fair competition in digital markets. 

The DMA designates “gatekeepers”, which are large online platforms with considerable influence over smaller businesses, consumers, and global digital markets. These gatekeepers are the entities required to comply with the DMA’s requirements. 

As of late 2025, seven have been designated, but in the future existing ones could be removed (e.g. Samsung was initially considered) and new ones could be added.

In order for gatekeepers to comply with the Act’s requirements, like enhancements to data privacy, they need to ensure compliance throughout their ecosystems. Some have created or updated policies with requirements for smaller partner organizations. 

While smaller companies would not be fined under the DMA for not complying with gatekeepers’ requirements, they could lose access to functions on their platforms, or access to the platforms entirely.

The gatekeepers control critical digital services, such as online search engines, app stores, ecommerce platforms, payment processors, web browsers, messaging services, and social networks. By imposing strict requirements across the EU, the DMA seeks to:

• Prevent unfair practices by gatekeepers
• Strengthen user rights over data access and portability
• Ensure more transparency in digital services
• Create a more level competitive playing field for startups and SMBs

Digital Markets Act summary

The EU DMA law applies to companies that meet criteria for gatekeeper designation, which include significant impact on EU digital markets (though all the gatekeepers are global enterprises), have a large base of business and end users, and entrenched market positions.

At its core, the DMA provides a list of do’s and don’ts for the designated gatekeepers. The Act has a number of key objectives meant to curb potentially anti-competitive business behaviors. These include:

• End self-preferencing, where a gatekeeper favors its own services in rankings or visibility
• Mandate data-sharing with business users and competitors
• Guarantee users the ability to uninstall apps, switch defaults, and access alternative payment systems
• Preventing reuse of data collected from business users to compete against them

The DMA’s jurisdiction, like with the GDPR, is business operations in the European Union (EU) and European Economic Area (EEA).

Digital Markets Act timeline

The Digital Markets Act was proposed along with the Digital Services Act (DSA), with the combined legislation referred to as the Digital Services Act package. The DSA governs online content, safety, and liability.

• The European Commission (EC) submitted their proposal for the DMA law to the European Parliament in December 2020. 
• Complaints by large online platforms and lobbying efforts against the DMA and gatekeeper status began as early as late 2020.
• The law’s text was formally adopted in December 2021. 
• The law was formally adopted by the European Parliament in July 2022.
• The law came into force in May 2023.
• The initial six gatekeepers had to comply by March 2024, and noncompliance investigations were opened then against Alphabet, Apple, and Meta.
• Booking.com was added as a seventh gatekeeper in May 2024, and had six months to achieve compliance with the DMA’s requirements.
• The EC announces noncompliance findings against Google, Apple, and Meta in April 2025 and issues fines.

Digital Markets Act gatekeepers

Article 3 of the DMA outlines the criteria defining a gatekeeper position. Companies had to notify the EC by July 2023 if they met these thresholds. They include:

• Significant impact on the internal market
• Provide a core platform service that is an important gateway for business users to reach end users
• Enjoy an entrenched and durable position
• Meet specific thresholds for revenue — EUR 7.5 billion annual EU turnover or EUR 75 billion market capitalization — and user numbers — 45 million monthly active end users and 10,000 yearly active business users in the EU

When the DMA came into effect in 2023, there were six gatekeepers designated, with Booking.com added in May 2024:

• Alphabet (Google, YouTube, etc.)
• Amazon
• Apple
• Booking.com
• ByteDance (TikTok)
• Meta (Facebook, Instagram, WhatsApp, etc.)
• Microsoft

The original six gatekeepers had until March 2024 to comply with the law, and Booking.com had to comply by November 2024.

Core platform services under the DMA law

Operating one or more core platform services (CPS) is one of the criteria for gatekeeper designations, and to date these CPS are:

• Four social networks (Facebook, Instagram, LinkedIn, TikTok)
• Two large communication services (Facebook Messenger and WhatsApp)
• Six “intermediation” platforms (Amazon Marketplace, Google Maps, Google Play, Google Shopping, iOS App Store, Meta Marketplace)
• One search engine (Google)
• Two web browsers (Chrome and Safari)
• Three online advertising services (Amazon, Google, and Meta)
• Three most popular operating systems (Google Android, iOS, Windows PC OS)
• One video sharing platform (YouTube)
• One online travel agency (Booking.com)

Gatekeepers’ obligations under the DMA law

The EC published a list of obligations for the designated gatekeepers, in the form of a do’s and don’ts list.

Do’s for gatekeepers

✅ Allow third-party interoperability with the gatekeeper’s own services in specific circumstances.

✅ Allow their business users to access the data that they generate in their use of the gatekeeper’s platform.

✅ Provide companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper.

✅ Allow their business users to promote their offers and conclude contracts with their customers outside the gatekeeper’s platform.

Don’ts for gatekeepers

❌ Treat services and products offered by the gatekeeper itself more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform.

❌ Prevent consumers from linking up to businesses outside their platforms.

❌ Prevent users from uninstalling any preinstalled software or app if they wish so.

❌ Track end users outside of the gatekeepers’ core platform service for the purpose of targeted advertising, without valid consent having been granted.

Consumers’ rights and benefits under the DMA

Among the biggest benefits of the DMA for European consumers online is increased protections and choice. With the goal of spurring competition, companies — including the gatekeepers — have motivation to improve their products and services. The main benefits of the DMA law for consumers are:

• Improved product and service quality: Companies (including the gatekeepers) are incentivized to improve their products and services due to increased competition and consumer choice.
• Innovation: Big platforms are prevented from using data from smaller companies to create similar or identical, cheaper products. This shifts the focus to genuine innovation and superior customer experience as competitive differentiators.
• Easier switching among providers: Consumers can more easily switch between service providers and port their data, significantly reducing barriers previously associated with leaving platforms.
• Data control: Individuals gain more control over how gatekeepers use their data. They can decide if their data can be tracked across services or used for marketing purposes, such as profiling for personalized advertising.
• Streamlined user experience: Consumers no longer have to log in to one platform to access another, simplifying the online user experience. Also expanded user-friendly options for browsers and search engines.
• App installation and management freedom: Individuals can directly install apps from the web or app stores beyond those operated by gatekeepers like Apple and Google. App developers can list their apps in multiple stores and startups can even create their own app stores, with greater control.
• Unbiased search results: Search results will prioritize relevance over commercial bias, enabling consumers to discover the best products and services without undue influence from gatekeepers’ marketing and promotions they may not find relevant.
• Legal recourse: Consumers have avenues for recourse if their rights are denied. They can contact the European Commission (EC) or their national competition authority, and there’s also a legal option to file complaints in national courts within the EU.

EU Digital Markets Act enforcement

The European Commission is the sole enforcement body for the DMA in the EU. Potential penalties are substantial, and exceed those for GDPR violations. The EC can levy fines of up to 10 percent of total global revenue for the preceding year, or up to 20 percent for repeated infringements (Article 30 of the DMA.) There can also be structural remedies required, including divestments when there’ve been repeat infractions.

The EC didn’t waste any time beginning investigations or enforcement, either. In April 2025, Apple was fined EUR 500 million and Meta was fined EUR 200 million for breach of the anti-steering obligation (obligation to give consumers the choice of a service that uses less of their personal data.)

In September 2025 Google was fined an unprecedented EUR 2.95 billion for breaching antitrust rules in advertising.

The European Digital Markets Act impact on businesses

The DMA’s effects are not limited to gatekeepers. Its ripple effects reach every business of every size that operates digitally in Europe.

As noted, some of the gatekeepers have taken actions to enable DMA compliance throughout their business ecosystems. For example, Google established new privacy rules in March 2024, accompanied by enforcement of its EU user consent policy.

The Digital Markets Act and large enterprises

Large companies are likely to have significant investment into the gatekeepers’ platforms. As a result, that is likely to be accompanied by more requirements for compliance with new or updated policies and associated financial and resource costs for internal audits, process and operational updates, and ongoing maintenance.

Again, while third-party companies don’t directly have to comply with the DMA, if they do business in Europe they likely do have to comply with other regulations and frameworks that have some similar requirements, including the GDPR, ePrivacy (as implemented on a national basis), AI Act, and others. 

On the plus side, there are potential benefits to the DMA for large enterprises, including:

• Greater opportunities for customer acquisition
• Lower advertising costs (and more transparency in bidding)
• Diversification in suppliers and supply chain (with opportunities like owning their own app stores and other delivery mechanisms)
• Direct innovation for competitive advantage
• Partnerships with or acquisitions of other companies with desirable products, services, or platforms

The Digital Markets Act and SMBs and startups

Like with consumers, the DMA brings freedom and flexibility to smaller companies that have traditionally had minimal control or access to the big platforms they relied on. Key benefits of the DMA law for small businesses and startups include:

• Fairer market access: More open distribution channels, audiences, and critical datasets by limiting gatekeepers’ ability to self-prefer and restrict access. This reduces barriers that previously favored entrenched incumbents.
• Improved transparency: Enhanced transparency, enabling smaller businesses to gain clearer insights into platforms’ data, mechanics (like algorithms), and audience behavior.
• Greater clarity and data portability: Smaller companies can better understand performance, switch providers more easily, and enable consumers to switch to them.
• More competitive pricing and offerings: SMBs and startups will be able to offer competitive pricing and features as the result of access to better data to drive innovation, not being locked into a single ecosystem, and a market that favors competition.
• Trust and data-driven growth: Adopting consent tools and practices builds trust with customers, leading to access to more high-quality, consented data for analytics and marketing. This supports sustainable, privacy-compliant, data-driven growth while preserving access to essential platform services.

The DMA and web development

The DMA brings new requirements for tech teams, but also raises industry-wide standards and helps streamline processes and protect businesses. The major requirements and benefits of the DMA for web development are:

• Improved transparency and consent UX: Clearer requirements and guardrails make designing privacy notices and consent flow (e.g. in consent banners) easier and more consistent for language, user-friendly user interfaces, and clear consent mechanisms. 
• Privacy-friendly standards: Better user experience and greater protection for companies’ operations by preventing use of dark patterns. Also reduction in design churn and encouragement of privacy by design approaches, from planning to innovations. 
• Better inter-team collaboration: Design and development teams become a more integral part of meeting compliance requirements while creating the best user experiences, benefiting many departments, processes, and projects.
• More data fuels innovation: The additional data that smaller companies will have access to from the gatekeepers enables smarter decision-making about design and development. This saves time, better meets customer expectations, and fuels growth.
• Motivation to build privacy-first functionality: Data portability features can be built as first-class product capabilities, e.g. export in CSV/JSON/XML, in-product status notifications, and documentation. These also improve UX and reduce vendor lock-in for users.
• Improved automation: Customer data requests will increase resource demands, spurring roll-out of automated features like data export and/or DSAR options in accounts that enable self-serve.
• Reduced support load: Happier customers mean less work providing data to take elsewhere, as well as inquiries and requests regarding privacy and users’ exercising their rights.
• Streamlined integration: Gatekeepers must work better with third-party services, so developers can integrate more easily with large platforms, leverage their infrastructure, and reach broader audiences. 
• More standard tooling: The DMA catalyzes a tooling stack that’s easier to standardize across projects, helping to shorten build time, reduce compliance risk, improve UX, and make privacy by design a repeatable engineering practice:
  • CMPs for lawful consent capture and signaling (including TCF-compatible, Google-certified options)
  • API management for third-party integrations
  • Analytics and testing tools vetted for privacy-compliant workflows
  • Governance platforms for monitoring and audits

The DMA, data privacy, and consent management

The DMA joins the GDPR in making explicit, opt-in consent a requirement for the gatekeepers’ core platform services. This helps raise the privacy baseline across the digital ecosystem, since, as noted, the gatekeepers can enact policies that their customers need to comply with. 

This also strengthens user rights and control over their data and its use, including choosing which cookies/trackers are allowed, updating consent preferences or withdrawing them later, and being able to port a copy of their data to new providers. 

Because gatekeepers must prove valid consent — and face steep penalties if they can’t — there’s a push for standardized consent signaling and documentation. That benefits privacy operations across the board by clarifying for all companies how consent must be captured, stored, signaled, and documented. 

This standardization includes wide-scale use of tools like Consent Mode with a Google-certified CMP, so systems across the web, app, and other connected platforms can send and receive consent signals and respect user choice (and provide proof of compliance to regulators), protecting businesses of all sizes, and consumers’ privacy.

And of course, better consent practices translate into greater transparency by companies, which helps grow long-term trust and engagement. Customers see clearer explanations of data use and can make informed choices that put them in control. 

Businesses incorporate practices that support sustainable growth, protect operations — both on and outside of the gatekeepers’ platforms — and enable them to obtain more high-quality data for marketing.

The Digital Markets Act and the digital ecosystem

The Digital Markets Act represents a significant step towards protecting user privacy and promoting fair competition in the digital sector. By imposing obligations on influential gatekeepers and enhancing user control over personal data, the EU DMA law aims to create a more transparent and user-centric digital ecosystem.

That means greater protections for both consumers and companies, as well as more competition and innovation (for better products, services, and customer experience), and standardized tech and compliance mechanisms and data flow. 

As seen by reviews and fines already levied, the DMA law’s implementation is not without detractors, but at the end of the day it’s a blueprint for more sustainable, innovative, competitive, user-friendly, and privacy-first digital markets.

Celestine Bahr

Director Legal, Compliance & Data Privacy, Usercentrics GmbH

Read more

Stay in the loop

Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.

Newsletter

Email address

Subscribe

By subscribing to the Usercentrics Newsletter, you agree that your data may be used for information related to the products and services offered by Usercentrics. You can revoke your consent by using the unsubscribe link in a newsletter email or by sending your request to unsubscribe@usercentrics.com. See Privacy Policy