Digital Markets Regulation: now a reality in the EU

In early November, the much awaited and debated Digital Markets Act (DMA) entered into force. This regulation has direct effect and therefore does not need to be incorporated into national legislation. The DMA will apply as of 2 May 2023.

The DMA establishes a set of rules that aim to make the digital sector fairer and competitive. For example by ensuring that there are low barriers to market entry and exit. The new law reflects the European legislator's goal to regulate online platforms effectively, create a level playing field for businesses and bring fairer conditions to consumers. For some, the regulation may have far-reaching consequences for their innovation efforts and business models, while for others it may offer opportunities to benefit from a more innovative and competitive business environment. The exact impact of the regulation will become clearer in the months ahead.

Why DMA and for whom?
Traditional antitrust laws have not proven to be sufficient in tackling the ever-evolving and complex digital markets. Certain characteristics of large platforms such as vertical integration, extreme scale economies, strong network effects, ability to connect business users to end-users, data driven advantages, lock-in effects, etc. can enable them to exploit such power and tilt the market in their own favour. The DMA intends to complement the existing antitrust laws by setting ex ante ground rules for the 'gatekeepers', as they are called, regarding what conduct is acceptable and what is not.

The regulation applies to businesses (both EU and non-EU based) designated as gatekeepers by the European Commission. To qualify as a gatekeeper, these businesses should provide at least one of the ten core platform services (CPS) listed in the regulation that include operating systems, online intermediation services, search engines, social networking, cloud computing, etc. If that is the case, the Commission can designate such a business as a gatekeeper if the following cumulative thresholds are met:

It has a significant impact on the internal market: this is presumed to be the case if the business has an annual turnover of EUR 7.5 billion within the EEA in each of the past three financial years, or a market valuation of at least EUR 75 billion in the past financial year, and it provides the same CPS in at least three Member States.
It provides an important gateway for business users to reach the end-users: this is presumed to be the case if the business operates a CPS with more than 45 million active end-users per month established or located in the EU and more than 10,000 yearly active business users established in the EU in the past financial year.
It enjoys an entrenched and durable position: this is presumed to be the case if the other two conditions are met in each of the past three financial years.

Even if the quantitative thresholds are not met, a business providing a CPS can still be identified as a gatekeeper by the Commission following an in-depth market investigation. This seems to open the door to a degree of uncertainty and unpredictability for businesses and practitioners.

What are the obligations and prohibitions under the DMA?
If a business is designated as a gatekeeper, it will have to comply with a set of obligations and prohibitions within six months of the Commission's decision. The Commission may update the list of obligations and prohibitions following an in-depth investigation. Examples of the current obligations and prohibitions that gatekeepers will have to adhere to at all times include:

Allowing business users to promote their offers (for lower prices if they so wish) on other platforms and conclude contracts with their customers outside the gatekeeper's platform to prevent further dependence on the CPS of gatekeepers.
Not combining or cross using personal data between different CPS, unless the end-user has specifically provided consent. This obligation is intended to enable end-users to freely choose to opt-in to such data processing and sign-in practices by offering a less personalised but equivalent alternative, and without making the use of the CPS conditional upon the end-user’s consent.

Other obligations and prohibitions with which gatekeepers are also expected to comply, but for which they may request further specification from the Commission on how they should be applied, are:

Allowing third parties to interoperate with their own service,
Providing end-users with effective data portability and business users with access to the data generated by their activities on the gatekeeper's platform free of charge. Given that data is the lifeblood of the digital economy and that the end-users of businesses using a CPS generate a vast amount of data, access to such data aims to prevent the gatekeeper from undermining the contestability of the CPS.
Not treating their own products and services more favourably than those also offered by third parties in ranking and related indexing and crawling, and applying transparent, fair and non-discriminatory conditions to such ranking.
Allowing end-users to uninstall preinstalled apps easily and enable them to change default settings on operating systems, web browsers or virtual assistants. This obligation intends to prevent end-users from being steered towards the products and services of the gatekeepers and increases free choice.

The Commission will enforce the DMA with support of the national regulators. Infringement of the act could lead to a fine up to 10% of the businesses total worldwide turnover and up to 20% annual worldwide turnover in the case of repetitive infringements. In addition, an infringement could also lead to periodic penalty payments of up to 5% of the company's total worldwide daily turnover. Furthermore, systematic infringements can lead the Commission to impose additional behavioural and structural remedies.

What to expect?
The Commission expects 15 to 20 gatekeepers to be designated and estimates a total compliance cost for them combined between EUR 21.15 million and 28.2 million per year (i.e. an average of about EUR 1.4 million per gatekeeper per year). According to the Commission, these costs are incurred by additional staff to check whether a platform complies with the new rules and for staff who interact with the regulator and respond to information requests. Indirect costs for gatekeepers could be higher, as the proposed measures are expected to have an impact on their business models and potentially affect their profits.

Set against the effects the DMA could have on gatekeepers and innovation in general, the following practical effects could also include the following: (i) the creation of alternative app stores as well as the opening up of app stores to all; (ii) the creation of alternative payment systems or identification services (as gatekeepers can no longer require app developers to use certain services); (iii) the creation of alternative browsers (as users are now free to choose their browsers); (iv) guaranteed interoperability with major players such as WhatsApp for those launching a messaging app; (v) increased availability of analytical and statistical figures to sellers on online marketplaces; (vi) the end of platform monopolies (e.g. in hotel booking or car rental markets) because sellers will be free to offer their product elsewhere; and (vii) a better competitive position for non-gatekeeper businesses now that gatekeepers can no longer rank their own products and services above those of other providers.

Whether any of these predictions will come true remains to be seen. This is also true for any consequential effects the DMA rules may have on the national antitrust regulators' practices towards CPS businesses that are not formally designated as gatekeepers. That being said, timeline would be as follows:

What to do now?
Very large businesses active in the provision of CPS are likely to be aware of whether they qualify as a gatekeeper or not. It also seems probable that they have assessed their business operations in line with the obligations imposed by the DMA.

At this stage, the DMA may also affect the business operations (or potential business opportunities) of companies that offer or plan to offer services on the gatekeeper's platforms, or competing digital platforms. The rules set by the DMA may open up business opportunities. For businesses other than gatekeepers, it may be worthwhile to analyse the DMA in more detail to see if the new regulatory framework provides a legal basis for a broader offering of services, as expected by the European Commission.

Related articles

Counting down to DORA – governance of ICT risks and board member responsibility

EU courts continue to validate the Commission's cartel enforcement practice

ICT services: comparison of the ESMA and EBA outsourcing guidelines and DORA

NautaDutilh intensifies AI collaboration with Fledger

DMA countdown - Perhaps the most important milestone: gatekeepers must ensure compliance

NautaDutilh assists Buckaroo on partnership with ABN AMRO

Privacy & data in the Benelux: five things you need to know in 2024

NautaDutilh advises a.s.r. on its sale of Knab to BAWAG

Benelux Competition Law in 2024: five things you need to know

Technology and the law in 2024: five things you need to know

EU AI Act: three key insights on the world's first comprehensive AI law

The Chambers Technology & Outsourcing guide 2023

Q&AI: What financial institutions need to consider when using AI

The Foreign Direct Investment Regimes Guide 2024

Life Sciences challenges and opportunities in Europe and the USA: key insights

Filing obligations under the Foreign Subsidies Regulation – what we know so far

NautaDutilh strengthens Competition practice with senior associate Victorine Dijkstra

NautaDutilh advises Dutch State on its envisaged EUR 500 million investment in grid operator Stedin

Luxembourg FDI screening mechanism enters into force

The twin transition of the financial sector: eight key insights

The competition dynamics in relation to cloud services

NautaDutilh assists founding shareholders of Route Mobile in selling majority stake to Proximus

Green light for EU-US Data Privacy Framework: a new era for transatlantic data flows

NautaDutilh writes Netherlands chapter of the Global Legal Insights on AI, Machine Learning and Big Data 2023

Luxembourg: introduction of national FDI screening mechanism

The Foreign Subsidies Regulation in public procurement – (not just) another tool in the toolbox

The Dutch Vifo Act: five things you need to know

Upcoming EU legislation on artificial intelligence

NautaDutilh Luxembourg ranked in Chambers FinTech 2023

Best practices for drafting and updating data protection notices

NautaDutilh assists Bluestar Alliance in Scotch & Soda acquisition

NautaDutilh assists LiquidStack with its Series B funding round

EU Foreign Subsidies Regulation (FSR): five things you need to know

Using ChatGPT and other generative AI tools: risks and challenges

The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR

Benelux Competition Law in 2023: five things you need to know

The end-user and its avatar - data integrity risks and ethical challenges in the metaverse - Part one

Online platforms and search engines to publish average monthly active recipients (AMARs) in EU by 17 February 2023

CJEU decision extending the scope of article 5(1) of the Damages Directive

Think twice: non-solicitation clauses permissible?

Hydrogen & the rules of Competition Law: three key insights

GDPR & AML: no longer public access to UBO data without legitimate interest

Hydrogen import and storage: three key insights

DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector

DORA the EU Regulation

NautaDutilh contributes to Technology Disputes Guide by Lexology

Recent FDI developments

Privacy and security concerns in the metaverse

Data protection impact assessments new EDPS recommendations

Digital Markets Act close to completion: what are the main changes and concerns?

Revamped CSSF outsourcing guidance for the financial sector

Technology & the law in 2022: five things you need to know

Corporate M&A in 2022: five things you need to know

Luxembourg IP & Technology Law: five things you need to know

NautaDutilh Luxembourg ranked in Chambers FinTech 2022

NautaDutilh assists shareholders of Mepal in investment by 3i

Prohibition of online advertising in a list of e-mails or messages: a misstep by the CJEU?

Why all companies should care about the UN's cybersecurity & software update regulations: Lessons for all sectors

New rules on material IT outsourcing in the financial sector

Vifo Act Submitted to the Lower House: What's Next?

NautaDutilh contributes to Technology Disputes Guide by Lexology

NautaDutilh advises PLUS on its merger with Coop

NautaDutilh assists Marcel Boekhoorn in sale of High Tech Campus Eindhoven

NautaDutilh contributes to digitalization series by EACCNY

NautaDutilh's IP & Tech Law team recognised by Leaders League

Belgian DPA: fines prohibited in the absence of a prior order to comply?

Europe proposes first-ever statutory framework for AI

Lindsay Korytko in Silicon Luxembourg on IP and contractual protection of APIs in the EU

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere

Regulatory changes in the audiovisual media sector

New law brings Luxembourg to the forefront of distributed ledger technology

How Fortnite could lead to important changes in the payments industry

The Sky Is Not the Limit: Space Activities in Luxembourg

Competition law in 2021: five things you need to know

NautaDutilh assists Dutch State on extended EUR 12 billion COVID-19 state aid reinsurance scheme for trade credit insurance

The ACM calls for a level playing field for payment services

Digital Markets Act Regulating tech platforms

(Alleged) data protection infringement? Say bye-bye to your .be domain name

New Belgian DPA decision: employee consent sometimes works