On March 24, 2022, the European Parliament, the Commission and the EU Member States reached an agreement on the text of the Digital Markets Act (“DMA”). And on April 23, 2022, the same set of EU bodies reached political agreement on the final text of the Digital Services Act (“DSA”). The new legislations will now make their way through the final procedural hurdles over the summer. Once these are cleared, the texts will come into force, creating a slate of new obligations that are designed to shape digital content and competition in Europe. Meanwhile, the Commission is progressing the text of a third law – the Data Act – that is expected to soon follow the same legislative process. This article provides an overview of the purpose and status of these three legislative pillars of the Union’s increasingly active approach to digital regulation.

Digital Markets Act (DMA)

The most significant of these three pillars—at least from a competition perspective—is the DMA. The DMA marks a paradigm shift in the regulation of digital markets. Designed to increased their contestability with more alacrity than traditional antitrust intervention, it provides the Commission unprecedented powers to regulate leading digital platforms and sets a global standard for other jurisdictions that are developing similar rules.

The DMA applies to platforms that are said to be “gatekeepers” between businesses and users. To be considered a gatekeeper, a firm must operate at least one “Core Platform Service” or CPS. CPSs include services such as an app store, operating system, social network, search engine, online marketplace, browser, video-streaming platform, ad service, or voice assistant. If a firm operates a CPS and meets a set of quantitative assessment criteria – detailed in the graphic below – it will qualify as a “gatekeeper.” The law’s ambit is therefore relatively narrow: it is expected to apply to the CPSs operated by each of Facebook, Apple, Google, Amazon, and Microsoft. Popular services that may be qualified as CPSs therefore include Facebook, Instagram, WhatsApp, Android OS, Search, Apple App Store, Siri, Safari, iMessage, Amazon Marketplace and AWS.

The determination and definition of a CPS is important because the core rules of the DMA apply to CPSs, not the gatekeeper company as a whole. In particular, the DMA establishes a set of categorical rules (do’s and don’ts) that gatekeepers’ CPSs must comply with. The first set of obligations are presented as being “specific” (Article 5), while the second are described as being open-ended and capable of further adaptation by the Commission (Article 6). In practice, the difference between the Article 5 and 6 obligations is likely to be minimal: both sets of rules will apply directly and will be self-executing. None of the rules require the Commission to show that they will result in anti- competitive effects. The rules they establish are rigid: the obligations are set out as categorical imperatives, leaving—at least on their face—little scope for justifications on the basis of consumer benefits. And while the DMA does provide for an exemption to the application of the rules, it is limited to instances of overriding reasons of public interest.

In terms of the specific obligations, the DMA is clearly inspired by recent antitrust cases, like Google Shopping[1] and the EPIC/Apple[2] litigation. The rules therefore pick up on and address specific theories of harm. For example:

  • Article 6(1) prohibits a gatekeeper platform from using businesses’ non-public data to compete against them (a theory explored in the Amazon Marketplace case).
  • Article 6(5) forbids gatekeepers from ranking their first-party products more favorably than competing third-party products (Google Shopping case).
  • Article 5(3) bans gatekeeper app store owners from restricting app developers from promoting offers to users through alternative sources and from contracting with users outside the app store (Apple App Store/Spotify case).

Compliance with these rules will be required from around January 2024. Failure to comply exposes gatekeepers to stiff punishment. The DMA, which will be enforced by the Commission,[3] enables penalties modelled on the existing penalties under competition law, but that also step beyond them: non-compliance can lead to fines of up to 10% of a gatekeeper’s annual global turnover, which rises to up to 20% for repeated infringements. The law also establishes that the Commission will have the power to impose a structural remedy in the face of systematic non-compliance.

Digital Services Act

On April 23, 2022, the European institutions reached a political agreement on the DSA.[4] This text will likely be adopted this summer and will enter into force in September 2022. The DSA’s rules will kick in 15 months later, likely by the end of 2023.

The DSA focuses on the distribution of online content. Contrary to the DMA, which seeks to ensure the contestability of digital markets, the DSA seeks to improve user safety online and ensure accountability of platforms for content that they transmit, host or publicly disseminate. The DSA plans to do so through a multi-layered regime of obligations, where all intermediary services will be subject to a common base of obligations and further obligations will apply cumulatively to certain types of services. While some of the rules are still being finalized, the DSA most centrally formulates rules for digital intermediaries specifying the exemption from liability for content, setting out due diligence obligations for the content they host, and establishing oversight of content moderation activities.

Enforcement of the DSA is less centralized than that of the DMA. The DSA leaves it to EU Member States to appoint a Digital Services Coordinator, an independent authority which will identify breaches and determine the penalties applicable in case of infringement. In doing so, Member States must ensure such penalties are effective, proportionate, and dissuasive, though they cannot exceed 6% of the company’s annual worldwide turnover in the preceding financial year.

The Data Act

On February 23, 2022, the Commission published a proposal for a Data Act.[5] The proposal, which was open for stakeholder feedback until May 13, 2022, will now go through the legislative process for the negotiation and ultimate adoption into law, although the precise timeline for this adoption remains unclear.

The Data Act seeks to address legal, economic, and technical issues that have led to a perceived underuse of industrial data. The new rules are designed to answer the question: “who can create value from data and under which conditions?” The hope is that a clear answer will help companies and individuals unlock the potential of their datasets in a broad range of products and services across all economic sectors in the EU.

To create this framework for data usage, the Data Act formulates new rules on: (i) Business-to- Consumer and Business-to-Business data sharing (e.g., user rights to access data and share that data with third parties); (ii) data access conditions (e.g., specifying the conditions for access and the approach to compensation for companies of various sizes); (iii) prohibition of unfair terms in data sharing contracts; (iv) Business-to-Government sharing (in exceptional circumstances, such as public emergencies or if data is otherwise not available); and (v) portability and standard-setting (e.g., allowing users to effectively switch between data-processing services providers).[6]

The rules set out in the Data Act would come to complement the requirements of the Data Governance Act,[7] agreed upon by the European co-legislators in November 2021, which seeks to create processes and structures to facilitate data sharing. The Data Act would also complement, and be interpreted in light of, the existing rules under the GDPR.

Under the current draft, data protection supervisory authorities—the bodies currently responsible for the implementation of the GDPR—will be responsible for monitoring the application of the Data Act.


The recent adoption of the final texts of the DMA and DSA, and the proposal for a Data Act, are important milestones in Europe’s digital regulatory strategy. Attention will now increasingly turn to their enforcement. The significant powers created by these legislations will lead to scrutiny as to whether they are being enforced in an effective but proportionate manner.

[1]      Google and Alphabet v. Commission (Case T-612/17) EU:T:2021:763.

[2]      Epic Games, Inc. v. Apple Inc. (20-cv-05640-YGR).

[3]      National competition authorities will have an advisory role. Private parties may also potentially be able to invoke the DMA directly in actions before national courts.

[4]      Commission Press Release IP/22/2545, “Digital Services Act: Commission welcomes political agreement on rules ensuring a safe and accountable online environment,” March 23, 2022. The text of the most current draft of the Act can be found at: https://digital-strategy.ec.europa.eu/en/library/data-act-proposal- regulation-harmonised-rules-fair-access-and-use-data.

[5]      Commission Press Release IP/22/1113, “Data Act: Commission proposes measures for a fair and innovative data economy,” February 23, 2022.

[6]      See Proposal for a Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act), COM(2022) 68 final of February 23, 2022.

[7]      See Proposal for a Regulation of the European Parliament and of the Council European data governance (Data Governance Act), COM(2020) 767 final of November 25, 2020.