Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
The Digital Markets Act: Reshaping Tech Competition in the EU
Last updated
January 16, 2025
{x} minute read

The Digital Markets Act: Reshaping Tech Competition in the EU

Download the PDF guide
Free trial
Written by
Leah Sadoian
Content Writer
Leah is an experienced cybersecurity writer. Her work is read by leaders in security, tech, education, healthcare, and government.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

The online platform industry is growing exponentially as more organizations and individuals turn to digital resources for everyday needs.  

In 2022, the European Union introduced the Digital Markets Act (DMA), a groundbreaking piece of legislation to curb monopolistic practices of major online platforms while promoting fair competition across the highly saturated European market. The DMA’s comprehensive framework promotes innovation in the digital sector, protects consumers, and encourages a more equitable digital landscape.

This blog explores the Digital Markets Act, including key components, definitions, and obligations outlined in the regulation—along with how the DMA works to reshape tech competition across the European Union and beyond.

Learn how UpGuard Breach Risk helps protect your tech assets from cyber threats >

What is the Digital Markets Act?

Regulation (EU) 2022/1925, also known as the EU Digital Markets Act (DMA), is a European Union regulation that seeks to create a more equitable and competitive digital economy. The European Parliament enacted the regulation on November 1, 2022, and, for the most part, it became enforceable on May 2, 2023.

The EU created the DMA to promote healthy competition in the European digital market by preventing big tech companies from misusing their market power. The DMA aims to ensure a fair playing field by allowing new players and startups to enter the market.

The DMA targets the largest digital platforms operating in Europe, referred to in the Act as “gatekeepers.” The EU has identified twenty-two services across six tech giants (Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft) as core platform services. These companies must comply with all of the act’s provisions and obligations.

The Digital Markets Act and the Digital Services Act (DSA) are significant attempts by the European Union to regulate the digital economy, safeguard consumers, and ensure that everyone benefits from the advantages of digital transformation.

Key components of the Digital Markets Act

The Digital Market Act includes several key sections that outline gatekeepers, new rules, and enforcement mechanisms. Key components of the DMA include:

  • Identification of gatekeepers: The DMA defines “gatekeepers” as large online platforms that significantly impact the internal market, serve as an important gateway for businesses to access consumers, and have an entrenched and durable market position. Specific thresholds may include factors like the number of users, breadth of services, and revenue or market valuation.
  • Obligations for gatekeepers: The DMA includes compliance obligations for companies identified as gatekeepers to promote fair competition and innovation. Obligations fall under two categories: prohibited practices and mandatory practices.
  • Prohibited practices for gatekeepers: The DMA outlines prohibitions such as combining personal data across services without explicit consent, self-preferencing, and preventing users from uninstalling pre-installed software or applications.
  • Mandatory practices for gatekeepers: Gatekeepers must enable third parties to interoperate with the gatekeeper's services, provide companies that advertise on their platform with access to performance measuring tools, and grant businesses access to the data generated on their platforms.
  • Enforcement and penalties: The European Commission enforces the DMA, and penalties for non-compliance include fines, periodic penalties, behavioral or structural remedies, and bans on acquisitions.
  • Market investigation: The European Commission also has the authority to conduct market investigations to determine if the DMA framework must address new practices or services from existing gatekeepers. These investigations could result in revisions or extensions of the obligations placed on gatekeepers.

These key components help the DMA comply with the global trend of regulating large technology firms to address concerns about their impact on the market and society.

Who must comply with the Digital Markets Act?

There are two different definitions when identifying who must comply with the Digital Markets Act: gatekeepers and core platform services (CPS).

Compliance with the DMA is mandatory for companies categorized as "gatekeepers" in the digital industry. Gatekeepers are broadly defined as companies with a significant online platform crucial to facilitating the relationship between businesses and consumers in the digital market. Designated gatekeepers in the DMA include Alphabet (the parent company of Google), Amazon, Apple, ByteDance (products include TikTok and CapCut), Meta (products include Facebook, Instagram, and WhatsApp), and Microsoft. Specific criteria for identifying gatekeepers include:

  • Significant impact on the EU internal market: The company must have an annual turnover of at least EUR 7.5 billion in the EU or a market capitalization or equivalent of at least 75 billion euros, indicating a significant impact on the internal market of the European Union.
  • Serves as an important gateway: The company needs more than 45 million active monthly end users and more than 10,000 active businesses annually in the EU, signifying an essential gateway for business users to reach end users.
  • Entrenched and durable position: The company must have an entrenched and durable position in its operations, which suggests current market strength and stability over time.

The DMA also identifies core platform services in which these gatekeeper companies operate. The regulation includes eight different gatekeeper platforms, including advertising services, web browsers, intermediation, communication, operating systems, online search engines, social networks, and video-sharing platforms. A breakdown of gatekeeper companies and their core platform services is below:

  • Alphabet: Google, Chrome, Google Maps, Google Play, Google Shopping, Android, Google Search, Youtube
  • Amazon: Amazon Shopping, Amazon Marketplace, Amazon Ads
  • Apple: Safari, App Store, iOS
  • ByteDance: TikTok
  • Meta: Meta, Meta Marketplace, WhatsApp, Messenger, Facebook, Instagram
  • Microsoft: Windows, LinkedIn

As of late 2023, other services are also under investigation to determine whether they meet the thresholds for inclusion in the DMA. These include Microsoft Bing, Edge, Microsoft Advertising, and Apple iMessage. Some companies that the legislation may eventually target include Airbnb, Booking.com, Spotify, and Samsung.

Penalties for non-compliance

Non-compliance with the Digital Markets Act carries significant penalties that reflect the European Union's commitment to promoting fair contestability and innovation within the digital market. The DMA outlines the main penalties and consequences for failure to comply, which include:

  • Fines: The DMA can impose substantial fines on gatekeepers who don't comply with these regulations. DMA infringements result in fines of up to 10% of a company’s worldwide turnover. For repeat offenders, the fine can increase to 20%, showing the EU's strict enforcement policy.
  • Periodic penalties: In addition to one-time fines, the European Commission can impose periodic penalties to compel compliance. These can be set up to 5% of the average daily worldwide turnover of the gatekeeper, applied daily until compliance is achieved.
  • Behavioral or structural remedies: The European Commission can impose behavioral or structural remedies for serious and repeated infringements by a gatekeeper. Behavioral remedies may include specific actions, while structural remedies may require the gatekeeper to sell parts of its business. These remedies are the last resort for severe cases of non-compliance.
  • Ban on acquisitions: For non-compliant companies, the DMA may temporarily ban acquisitions, particularly of smaller firms that could reinforce dominant market positions. The aim is to prevent gatekeepers from consolidating their power by acquiring emerging competitors.

These penalties are intended to prevent gatekeepers from engaging in practices that could harm competition, consumers, and the market as a whole.

How the Digital Markets Act reshapes tech competition

The Digital Markets Act focuses on the practices of large online platforms designated as gatekeepers. Its primary objective is to address the power imbalances between these platforms and their business users, promoting a more competitive and equitable digital market. The following sections define in detail the ways in which the DMA reshaped tech competition within the European Union.

Leveling the playing field

The DMA imposes several obligations on gatekeepers, such as preventing them from exploiting their dominant positions by engaging in practices like self-preferencing their own services or products over those of competitors. These restrictions mean that gatekeepers cannot prioritize their products or services in search results or recommendations, for example, at the expense of other businesses.

Promoting interoperability and access

The DMA seeks to create a more open and competitive digital environment by mandating that gatekeepers ensure interoperability and provide access to their platforms under fair, reasonable, and non-discriminatory conditions. The DMA aims to encourage smaller firms and new entrants to enter the market by mandating gatekeepers to provide access to their platforms under fair terms. These mandates can lead to increased innovation and competition as smaller firms can leverage the services of the dominant platforms and potentially build upon them to create new services and products.

Increasing consumer choice

The DMA aims to promote consumer choice and prevent unfair practices that could limit the freedom of users to choose alternative services. The DMA seeks to enhance competition between gatekeepers by encouraging them to compete on the quality of their services rather than using their market dominance to lock users into their ecosystems. To achieve consumer choice, the DMA proposes to create a level playing field that will facilitate easier switching between platforms, making it more convenient for users to choose alternative services.

Facilitating data access and portability

Under the DMA, gatekeepers must provide business users and consumers with enhanced control over their data. Great control allows users to easily transfer their data to other services, enabling them to switch between service providers without barriers.

The DMA aims to promote innovation and competition in markets that rely on data by giving users the right to transfer their data. The DMA recognizes that data is a valuable resource for creating new products and services and that facilitating data transfer between service providers will foster the growth of data-driven markets.

Addressing systemic issues with structural remedies

The DMA legislation provides a framework for regulating digital markets and ensuring fair competition. Under this legislation, gatekeepers who repeatedly violate the DMA's rules can be subject to structural remedies, such as the divestiture of certain businesses or services. This enforcement tackles systemic issues that contribute to unfair competition, such as the abuse of market power, discriminatory treatment of competitors, or manipulation of user data.

However, it is important to note that the imposition of structural remedies is not taken lightly and only applied in cases where there is clear evidence of systematic violations of the DMA's rules. The main goal of the DMA is to create a level playing field for all market players, and structural remedies are just one of the many tools to achieve this objective.

Harmonizing rules across the EU

By establishing a single set of rules, the DMA aims to make it easier for businesses to operate across member states and for consumers to benefit from consistent protections, similar to how the GDPR and the DORA harmonize data protection and digital operational resilience regulations, respectively. The harmonization of rules and regulations across the EU supports the creation of a single digital market, which will enhance the global competitiveness of European businesses.

Moreover, by creating a single digital market, the DMA aims to enhance the competitiveness of European businesses in the global market. A single digital market is attractive to businesses and consumers as there are more opportunities for growth and innovation. Ultimately, a growing and equitable digital landscape helps to position European businesses as leaders in the global digital economy.

Protect your tech company with UpGuard

The DMA helps protect the online platform industry by promoting free and fair competition for tech companies. If you’re in the market to protect your tech company from cyber threats, consider investing in UpGuard BreachSight—our all-in-one external attack surface management tool.

UpGuard BreachSight helps you confidently manage your attack surface, allowing you to discover and remediate risks 10x faster with continuous attack surface monitoring. View your organization’s cybersecurity at a glance with our user-friendly platform, which you can also use to communicate internally about risks, vulnerabilities, or current security incidents. Features include:

  • Continuous monitoring: Get real-time information and manage exposures across domains, IPs, and employee credentials.
  • Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting.
  • Workflows and waivers: Simplify and accelerate how you remediate issues, evaluate risks, and respond to security queries.
  • Reporting and insights: Access reports tailored for stakeholders and view information about your external attack surface.
  • Data leak detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts