The Second Wave of DMA Compliance Reports: Hide, Seek and Duck

The DMA celebrates its second year of application. Since its existence, the regulation has brought changes to the digital space but also regulatory unpredictability in terms of legal standards and enforcement strategies. It’s, however, a time to reflect on the DMA’s achievements and there is nothing better to assess that than to look out for the developments introduced via the new wave of compliance reports submitted by the designated gatekeepers in early March 2025.

Alphabet, Apple, Amazon, ByteDance, Meta and Microsoft issued the non-confidential versions of their compliance reports by the 6th of March. There are still some gaping holes where the enforcer must drill deeper to steer gatekeeper conduct into compliance. I touch upon them in my latest episode for The Binary Agora, available here. Notwithstanding, the compliance reports also demonstrate some responsiveness to the enforcer’s demands in interpreting the regulation’s provisions.

Where are we at?

If anything, the DMA’s enforcement has not proven to be boring or uninteresting. Geopolitical shocks and a stick-and-carrot enforcement characterise the regulation’s first year. Until now, the European Commission (EC) has issued two decisions relating to Apple’s compliance with the vertical interoperability obligation, and it has triggered six non-compliance procedures aimed at sanctioning the gatekeeper’s infringements with the law. From the 550 combinations of compliance, we can say with certainty that most of the DMA’s enforcement takes place behind closed doors when the gatekeepers and the enforcer come together to discuss the merits of their compliance solutions. As VP Ribera recently declared, the enforcer aims to create “a culture of compliance with the Digital Markets Act” and “non-compliance proceedings are reserved for situations where attempts at dialogue have not been successful”.

Following March 2024, when the gatekeepers submitted their first wave of compliance reports (see here), the second time around for their submission posed additional questions on the table. According to Article 11 DMA, the gatekeepers must submit their confidential and non-confidential versions of their reports at least annually to the European Commission. Those reports must remark on the implemented measures they have introduced as a response to the application of the obligations under Articles 5, 6 and 7 DMA.

Once the EC designated the gatekeepers, it passed an additional implementing act -the Compliance Report Template– touching upon the form, content and details that the compliance reports had to abide by (for my review of the template, see here). The Compliance Report Template includes all sorts of details that the gatekeepers must disclose to comply with the broader reporting obligation under Article 11 DMA. For instance, the gatekeepers must report on the metrics it considers, ensuring that the contestability and fairness objectives embedded in the DMA are complied with. Most notably, the Compliance Report Template establishes under Section 2.1.2(i) that the gatekeeper must provide “an explanation on how (it) complies with the obligation based on all measures that were already in place pre-designation or that (it) has implemented post-designation” as well as, according to letter (ii), “specific information (…) for each measure implemented in the context of Regulation (EU) 2022/1925, regarding: a) the relevant situation prior to the implementation of the measure and how the newly introduced measure ensures compliance with the obligations laid down in Articles 5 to 7 of Regulation (EU) 2022/1925”. In other words, the Compliance Report Template does not encourage the gatekeepers to perform a forward-looking exercise when they present their compliance solutions. Instead, it reinforces the reading of the reporting obligation as a retrospective exercise of comparing the pre-DMA scenario vis-a-vis the measures the gatekeeper introduced therein.

In appearance, there is nothing particularly problematic with choosing any one of these interpretations of the reporting obligation under Article 11 DMA. Well, not until you realise that this is one of the ways by which the gatekeepers game the DMAs’ enforcement via their submitted compliance reports. This was made more evident in light of this second wave of compliance reports. Alphabet and Apple modify some of their technical implementations with the DMA and introduce forward-looking solutions to enhance their achievement of the underlying policy goals of each provision. To put it into simpler words, they put forward 2025-laser-focused compliance solutions to adapt to the DMA’s regulatory framework in parallel with their new update releases, functionality and features. In the meantime, ByteDance and Meta recap the implementations they progressively introduced throughout the year as a response to the evolution of their business models. However, neither Amazon nor Microsoft do not present anything completely new in terms of their DMA compliance. In the particular case of Amazon, it understood the reporting obligation as an opportunity to flesh out its 2024 compliance report (amounting to a rough discussion of its compliance highlights as voiced out by several stakeholders, see here) by providing more details on its 2025 version. Find under Table 1 the provisions that the second wave of compliance reports touch upon and those developments that the gatekeepers will be rolling out in the next year:

	Provisions with dedicated compliance solutions in 2025	Forward-looking solutions
Alphabet	Articles 5(2), 5(8), 6(3), 6(9), 6(10), 6(11) and 6(12)	Articles 5(8), 6(3), 6(9) and 6(12).
Apple	Articles 5(2), 6(3), 6(7), 6(9), 6(10) and 6(12)	Articles 6(3) and 6(9).
Amazon	None	None.
ByteDance	Articles 5(2), 6(9) and 6(10)	Articles 5(2) and 6(10)
Meta	Articles 5(2), 6(2), 6(9), 6(10) and 7	None.
Microsoft	Articles 5(2), 6(2), 6(5), 6(7), 6(8), 6(10) and 6(13)	Articles 5(2), 6(2) and 6(13).

Amazon’s interpretation of the reporting exercise is quite questionable since the DMA’s provisions do not apply in a vacuum. Business users thrive on the opportunities ignited by the regulator to enter new markets or to compete fairly in existing CPS-related markets. Therefore, it would make sense that the compliance report issued on its non-confidential version to the public, including stakeholders and business users, would be sufficiently comprehensive to capture all the business opportunities open to them. By adopting this particular stance, the gatekeeper delays the stakeholder’s acquisition of sufficient and comprehensive knowledge relating to how they can exercise DMA-featured business opportunities.

Browsers, defaults and data combinations

Gatekeepers shy away from defying any of the EC’s views on the regulation’s interpretation regarding those obligations where the enforcer has triggered a non-compliance procedure against them. For instance, Apple abstains from providing its view on how it will (and should) comply with the anti-steering provision contained under Article 5(4) DMA (pages 46-54 of its compliance report). As a matter of fact, the EC is set to fine the gatekeeper in the coming days for this same reason. In a similar vein, Alphabet’s compliance with the self-preferencing prohibition has not budged much (pages 170-184 of Alphabet’s compliance report and see post on their ‘blue links’ proposal).

Aside from the gatekeeper hiding spots, web browsers displayed prominently on their priorities, as stemming from their compliance reports. In particular, Alphabet and Apple refined their approach towards their compliance with the obligation under Article 6(3) DMA.

Alphabet demonstrates what seems like a change of heart relating to the power and control it holds over OEMs to roll out choice screens on devices relying on Android as their operating system. Way back in the compliance workshop organised by the European Commission in March 2024 (see our comment here), the gatekeeper argued over and over again that it had no capacity to force the hand of OEMs in rolling out the choice screens on their devices. This is the reason behind the fact that most desktops and smartphones did not display the choice screens until late 2025. It appears, however, that Alphabet does have some power over the decisions that OEMs make within their devices. For instance, on its 2025 compliance report, the gatekeeper has set out the rolling out of the choice screens as a pre-condition for their approval of an OEM license. In a similar vein, Alphabet will also be rolling out an over-the-air SearchSelector on devices running on Android 12 to ensure that the choice screens reach all end users, regardless of their device’s manufacturer (pages 108-115 of its compliance report).

Apple also demonstrates its long strides in complying with Article 6(3), but in a completely different fashion. Its compliance with the obligation does not involve forcing others (but rather itself) to roll out the web browser and search engine choice screens so that end users can switch their defaults on the iOS and iPadOS environments. There are no major questions of law or fact in that since Apple can easily transform the user experience by switching defaults on Safari. The gatekeeper, however, has really put to the test the legal requirements established by the Article 6(3) provision, and it has questioned every single one of the defaults that it had formerly engrained into its operating system. Needless to say, Apple was forced to perform such an exercise because it was the most ‘closed’ ecosystem if we compare it with the rest of the designated gatekeepers. As of the end of 2024, it had already introduced a dedicated default settings page to enable end users to change some of their defaults, including their calling or messaging default services (pages 107-122 of the compliance report). In appearance, Apple’s substantial re-working of its compliance strategy of Article 6(3) has worked its magic, since Reuters has recently reported that the European Commission is prone to drop all charges on the non-compliance procedure it had triggered against Apple for this same reason.

Furthermore, Article 5(2) DMA seems to be a popular provision with the gatekeepers since every single one has tweaked or changed its approach in terms of how it requests the consent of its end users to override the prohibition of performing data combinations and cross-using personal data across CPSs and with other services. Despite that, ByteDance was quite wary in 2024 about introducing a new consent prompt for its TikTok services since, it argued, it did not have a wide enough ecosystem of services justifying the need for consent. The report’s 2025 version turns that narrative on its own feet. ByteDance introduced in Ireland and Spain its new TikTok Shop, the platforms shopping feature, by December 2024 and it decided it was high time for it to introduce a new consent moment, given that it would, in fact, combine the end user’s personal data to cater for that particular service (pages 12-20). Although it did not reverse so much its initial position, Microsoft also re-considers some of the personal data it processes for the purposes of providing its services and includes two additional prompts shown to users on both its Windows PC OS (relating to whether the user wants to receive recommendations and promotions for Microsoft and third-party produces and services, pages 6 and 9 of the compliance report) and its LinkedIn service (by introducing a GDPR consent experience including a more granular approach to consenting to the processing of certain categories of personal data for personalised ad purposes, page 8 of the compliance report).

If one discusses data combinations, one cannot but think of Meta’s pay or consent model since the European Commission (amongst other public authorities at both the national and EU levels) has already taken issue with it. As reported in the last weeks, the EC’s imposition of a fine is unavoidable for the gatekeeper, despite its efforts to adapt its DMA compliance with Article 5(2) in line with some of the enforcer’s concerns, as presented in its preliminary findings issued in July 2024. For example, the EC took issue with the fact that the pay or consent model did not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the ‘personalised ads ‘- based service. As a matter of fact, Meta presents in its compliance report that it updated some of its choice screens when advertising was displayed to enable users to make less personalised choices after they have chosen to ‘consent’ to their personal data being processed for free (pages 8-21 of its compliance report). It is still true, however, that the EC also took issue with Meta’s compliance to the extent that it did not allow users to exercise their right to freely consent to the combination of their personal data. Since Meta has not given in and eliminated the pay or consent model from its services, the few regulatory transformations proposed in 2025 may still come short of meeting the EC’s regulatory standard relating to Article 5(2), which is surprisingly close to the EDPB’s own interpretation of this type of subscription model in its interaction with the GDPR.

A step forward or the gatekeeper’s gaming of the compliance reporting obligations

Different gatekeepers have come up with distinct compliance strategies in their renewed efforts when submitting their 2025 compliance reports. Some, such as Amazon, prefer to stand still until the enforcer realises that it must compel them to make any substantive changes to those technical implementations proposed in 2024. If the European Commission does not budge in clarifying whether it is satisfied or not with compliance, gatekeepers will rarely propose innovative compliance solutions that could do them more harm than good. Others maintain and replicate the strategy they had upheld in 2024, such as Microsoft, which has held tight in its position of providing a detailed account of its compliance with the DMA, although it has not introduced a major re-working of most of its technical implementations. And on a completely different note, regulatory targets such as Apple are quickly realising that there is a long game ahead of themselves if they want to satisfy the European Commission’s expectations in enforcing the DMA.

To that particular purpose, Amazon and Apple have also engaged with some of the enforcer’s demands in the search of the holy DMA grail: the setting out of operable metrics to measure whether a gatekeeper’s conduct falls within the permissible limits of the regulation’s provisions. Apple details a whole list of data points that could merit some of the regulator’s attention in flagging blatant infringements of the law vis-a-vis those breaches of the DMA which may result in being more uninteresting and unappealing for the regulator (pages 22 and 23 of the compliance report). According to the Compliance Report Template, it is up to the gatekeepers to track and present those metrics to the European Commission. In that sense, Apple proposes to use the number of installations of third-party app marketplaces and/or the number of developers who have selected the option to distribute via alternative distribution as a yardstick to measure compliance with Article 6(4) DMA. At face value, those seem to indicate quite a discouraging picture for Apple since not many app marketplaces have made it to the market as a consequence of the DMA’s implementation.

Aside from that, these metrics point to a matter of causation since a higher or lower number of downloads of an app marketplace does not necessarily indicate that the gatekeeper may (or may not) be at fault. The DMA generates business opportunities that business users must grasp and thrive on, and those cannot be metered in the abstract but rather by attending to the underlying policy goals of each one of the provisions which, in turn, transform the exercise into a complex interweaving of supra-objectives that the enforcer itself has not explicitly declared it pursues.

Story originally seen here