A gatekeeper designation under the EU's Digital Markets Act is not a verdict you serve and move past. It is the start of a compliance relationship that never closes.

The DMA does not ask designated firms to fix one thing once. It imposes a standing set of behavioural rules, layers a "demonstrate compliance" duty on top, and backs the whole structure with fines that scale to global turnover and penalty payments that accrue by the day. The pressure is continuous by design.

That is what makes Digital Markets Act enforcement different from a classic antitrust case. There is no settlement that ends the obligation. The obligations in Articles 5, 6 and 7 stay live for as long as the designation does, and every product change reopens the question of whether the firm still complies.

For compliance leads at designated platforms — and for the enterprise customers who depend on them — the operational question is simple. How do you stay current with rules that the Commission can re-specify, extend by interoperability deadline, and enforce with escalating fines?

How does the DMA designate a gatekeeper, and which core platform services trigger obligations?

The DMA targets a narrow set of firms. Under Article 3(1), an undertaking is designated a gatekeeper when it has a significant impact on the internal market, provides a core platform service that is an important gateway for business users to reach end users, and enjoys an entrenched and durable position.

Those criteria sound qualitative. Article 3(2) makes them measurable through presumptions. A firm is presumed to meet them where it has annual Union turnover of at least EUR 7.5 billion in each of the last three financial years, or an average market capitalisation of at least EUR 75 billion in the last financial year, and provides the same core platform service in at least three Member States. The user thresholds are equally concrete: at least 45 million monthly active end users in the Union and at least 10,000 yearly active business users.

The phrase that does the work is core platform services. Article 2(2) lists ten categories: online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services. Obligations attach per service, not per company. A firm can be a gatekeeper for its app store and not for its cloud product, and the designation decision lists exactly which services are in scope under Article 3(9).

The timeline compresses fast. A firm meeting the thresholds must notify the Commission within two months under Article 3(3). The Commission then designates within 45 working days of receiving complete information under Article 3(4). After a service is listed, the gatekeeper has six months under Article 3(10) to comply with Articles 5, 6 and 7. Six months. Not months of negotiation — a hard runway to operational compliance.

This is where mapping the regulation to internal controls stops being optional. Knowing you are designated is trivial. Knowing which of your services trigger which obligations, and tracking that as your product surface shifts, is the real work. That is the job of regulatory intelligence tied to the source text rather than to a summary deck.

What do Articles 5, 6 and 7 actually require — interoperability, anti-self-preferencing, and data-use limits?

The DMA splits its substantive rules across three articles with different enforcement mechanics.

Article 5 holds the self-executing prohibitions and duties. These need no further specification by the Commission. A gatekeeper cannot combine personal data across its services without specific end-user consent under Article 5(2). It cannot stop business users from offering different prices or conditions through other channels under Article 5(3). It cannot require business users to use its own identification service, browser engine, or payment service under Article 5(7). And it cannot prevent users from raising non-compliance issues with public authorities under Article 5(6).

Article 6 holds obligations "susceptible of being further specified under Article 8." These are live duties the firm must meet, but the Commission can issue an implementing act detailing exactly how. Article 6 includes the gatekeeper obligations Article 6 is best known for: no using non-public business-user data to compete against those same business users (6(2)), letting users uninstall apps and change defaults (6(3)), allowing third-party app stores and sideloading (6(4)), the anti-self-preferencing rule on ranking (6(5)), data portability for end users (6(9)), and effective interoperability with operating-system and hardware features (6(7)).

Article 7 stands alone. It governs messaging interoperability for number-independent interpersonal communications services, and it operates on its own phased timeline rather than a single switch.

The split matters for enforcement. Article 8(1) requires the gatekeeper to "ensure and demonstrate compliance" with all three articles. Demonstration is an affirmative burden. It is not enough to comply quietly. You must be able to show the measures and prove they are effective, which is exactly the posture obligations management is built to support: each obligation mapped to a control, each control mapped to evidence.

Why has self-preferencing become the most contested enforcement front under Article 6(5)?

Article 6(5) is short and sharp. The gatekeeper shall not treat its own services and products more favourably in ranking, and related indexing and crawling, than similar third-party services. It must apply transparent, fair, and non-discriminatory conditions to such ranking.

The rule is contested because self-preferencing ranking sits at the intersection of two things that are hard to separate: product design and competitive advantage. Ranking is how platforms create value — and how they steer users. The DMA does not ban ranking. It bans ranking that favours the gatekeeper's own goods over comparable third-party goods.

That is a fact-heavy line. "Similar services or products" requires defining the comparison set. "More favourably" requires a baseline of neutral treatment. And "transparent, fair and non-discriminatory" invites scrutiny of the ranking logic itself — which the Commission can demand access to.

Article 2(22) defines ranking broadly: the relative prominence given to goods or services through intermediation, social networking, video-sharing, or virtual assistants, and the relevance given to search results. That breadth means self-preferencing analysis reaches across most of a gatekeeper's surfaces, not just a single results page.

When the Commission concludes a ranking practice breaches 6(5), Article 8(2) lets it adopt an implementing act specifying the measures the firm must implement, within six months of opening proceedings. The obligation does not change. The required behaviour gets more precise — and the firm must re-engineer to match.

How does messaging interoperability under Article 7 reshape the gatekeeper compliance burden?

Article 7 is the DMA's most technically demanding obligation. A gatekeeper providing number-independent interpersonal communications services must make the basic functionalities of those services interoperable with other providers' services, on request and free of charge, by providing the necessary technical interfaces.

Messaging interoperability does not arrive all at once. Article 7(2) phases it. Following listing in the designation decision, the gatekeeper must support one-to-one text messaging and the sharing of images, voice messages, videos, and files between two individual end users. Within two years of designation, that extends to group text messaging and sharing between a group chat and an individual. Within four years, it reaches one-to-one voice and video calls, and group-to-individual voice and video calls.

Two constraints make this a standing engineering commitment rather than a one-off integration. First, Article 7(3) requires that the level of security the gatekeeper provides its own users — including end-to-end encryption where applicable — be preserved across interoperable services. Building cross-provider messaging that does not weaken encryption is genuinely hard. Second, Article 7(5) requires the gatekeeper to publish a reference offer and then comply with any reasonable interoperability request within three months of receiving it.

So the burden compounds. The gatekeeper publishes terms, fields requests, and ships interoperability on a three-month clock, all while honouring phased functional deadlines and preserving its own security guarantees. Under Article 7(8), it may exchange only the personal data strictly necessary to provide interoperability, in full compliance with the GDPR. Each request is a new project on a fixed timeline. The audit pack is a query, not a project — but only if the underlying obligation-to-control map already exists.

What does anti-circumvention under Article 13 mean for design choices and "malicious compliance"?

Compliance on paper is not compliance under the DMA. Article 13 is the regulation's answer to firms that meet the letter of an obligation while defeating its purpose.

Article 13(4) bars any behaviour that undermines effective compliance with Articles 5, 6 or 7, "regardless of whether that behaviour is of a contractual, commercial or technical nature, or of any other nature, or consists in the use of behavioural techniques or interface design." That last clause names the practice regulators call malicious compliance: technically allowing a choice while designing the interface so users rarely take it.

Article 13(6) sharpens this. The gatekeeper must not degrade the conditions or quality of a core platform service for users who exercise rights under Articles 5, 6 or 7, nor make exercising those rights unduly difficult — including by presenting choices in a non-neutral manner or "subverting end users' or business users' autonomy, decision-making, or free choice via the structure, design, function or manner of operation of a user interface." Dark patterns are explicitly in scope.

Article 13(1) also closes the structural escape route. A firm cannot segment, divide, or split its services through contractual or technical means to dodge the Article 3(2) thresholds.

For compliance teams, Article 13 changes what counts as evidence. A consent flow that is technically valid but designed to discourage consent is a violation. The defensible record is not "we offered the choice" — it is "we offered the choice neutrally, and here is the design rationale." Where Article 13(7) finds circumvention, the Commission can open proceedings under Article 20 and adopt an implementing act specifying corrective measures.

How do non-compliance proceedings, periodic penalty payments, and fines up to 10% (20% for repeat) of worldwide turnover create ongoing pressure?

The enforcement architecture is what turns DMA obligations into continuous pressure.

It starts with a finding. Under Article 29, the Commission adopts a non-compliance decision when it finds a gatekeeper does not comply with Articles 5, 6 or 7, with Article 8(2) measures, with Article 18(1) remedies, with interim measures, or with binding commitments. The decision orders the firm to cease and desist within a deadline and to explain how it will comply.

Then come the fines. Article 30(1) lets the Commission impose fines not exceeding 10% of total worldwide turnover in the preceding financial year for failures, whether intentional or negligent. For repeat conduct — the same or a similar infringement of an obligation in Article 5, 6 or 7 in relation to the same core platform service, found within the preceding eight years — Article 30(2) raises the ceiling to 20% of total worldwide turnover. A separate track under Article 30(3) allows fines up to 1% of worldwide turnover for information-related failures, such as not providing data the Commission requests.

The mechanism that produces daily pressure is the periodic penalty payments in Article 31. The Commission can impose payments not exceeding 5% of average daily worldwide turnover per day to compel compliance — with an Article 8(2) decision, an Article 18(1) remedy, an information request, an inspection, interim measures, binding commitments, or an Article 29(1) non-compliance decision. Five percent of average daily worldwide turnover, per day, until the firm complies. The cost of delay is not a fixed penalty. It is a meter running.

The structure escalates further. Article 18 lets the Commission open a market investigation into systematic non-compliance. Under Article 18(3), a gatekeeper is deemed to have engaged in systematic non-compliance where the Commission has issued at least three non-compliance decisions under Article 29 against it within eight years. The remedy can include behavioural or structural measures, and under Article 18(2) a temporary ban on acquisitions in the affected sector.

Read together, these articles answer why pressure never lets up. A non-compliance finding can trigger a turnover-scaled fine, a daily penalty meter, and — across repeated findings — structural remedies. The only stable position is continuous, demonstrable compliance.

What should compliance and GRC leaders at platforms and their enterprise customers operationalise now?

The DMA rewards firms that treat obligations as a living register, not a launch checklist. A few priorities follow directly from the articles above.

Map obligations to services, not to the company. Because designation and obligations attach per core platform service under Article 3(9), your control map needs the same granularity. An obligation that applies to your app store may not apply to your cloud service.

Build demonstration into the workflow. Article 8(1) requires you to demonstrate compliance, and Article 11 requires a detailed compliance report within six months of designation, updated at least annually. The annual report is far cheaper to produce when evidence is continuously linked to obligations rather than reconstructed at deadline. This is what audit readiness means in practice — the report is assembled, not authored from scratch.

Stand up the compliance function the regulation actually names. Article 28 requires an independent compliance function with its own head, sufficient authority and resources, and direct reporting to the management body. This is a structural obligation, separate from the substantive ones.

Treat interface design as a compliance artefact. Under Article 13(6), neutral presentation of choices is itself an obligation. Document design decisions the way you document data flows.

Enterprise customers of gatekeepers have a stake too. The rights in Article 6 — data portability under 6(9), business-user data access under 6(10), interoperability under 6(7) — are leverage. If your vendor is a designated gatekeeper, those provisions are contractual and operational facts you can build on.

Across all of this, the through-line is currency. Rules can be re-specified under Article 8, extended by interoperability deadline under Article 7, and enforced with daily penalties under Article 31. Source-grounded mapping is the only way to keep pace. No AI hallucinations. Every obligation traced to the article that creates it.

See how Aegis GRC maps DMA gatekeeper obligations to source-grounded controls — explore the platform at agrc.ai. Answer once. Assess everything.

FAQ: DMA designation thresholds, reporting obligations, and penalty exposure

What are the quantitative thresholds for gatekeeper designation? Under Article 3(2), a firm is presumed to qualify with annual Union turnover of at least EUR 7.5 billion in each of the last three financial years, or average market capitalisation of at least EUR 75 billion in the last financial year, plus a core platform service in at least three Member States. The user thresholds are at least 45 million monthly active end users and at least 10,000 yearly active business users in the Union.

How long does a designated gatekeeper have to comply? Article 3(10) gives the gatekeeper six months after a core platform service is listed in the designation decision to comply with the obligations in Articles 5, 6 and 7. Designation itself happens within 45 working days of the Commission receiving complete information under Article 3(4).

What reporting obligations does a gatekeeper have? Under Article 11, the gatekeeper must provide the Commission with a detailed compliance report within six months of designation, publish a non-confidential summary, and update both at least annually. Separately, Article 28 requires an independent compliance function reporting to the management body.

What is the maximum penalty exposure under the DMA? Article 30(1) allows fines up to 10% of total worldwide turnover in the preceding financial year, rising to 20% under Article 30(2) for a repeat of the same or a similar infringement on the same core platform service within eight years. Article 31 adds periodic penalty payments of up to 5% of average daily worldwide turnover per day to compel compliance.