The Digital Markets Act (Regulation (EU) 2022/1925) came into force on 1 November 2022 and became fully applicable on 2 May 2023. Since March 2024, designated gatekeepers have had to comply with its obligations - and in April 2025, the European Commission issued its first fines: EUR 500 million against Apple and EUR 200 million against Meta. The regulation introduced a set of legal terms that anyone running a website in Europe needs to understand.
This glossary covers the essential DMA definitions, explains how they connect to existing privacy laws like the GDPR, and flags the practical implications for website owners.
What Is the Digital Markets Act?
The DMA is an EU regulation designed to make digital markets fairer and more contestable. Unlike competition law, which addresses anti-competitive behaviour after it happens, the DMA works on an ex ante basis - it imposes obligations before harm occurs. The European Commission is the sole enforcer.
The regulation targets large technology platforms that control access between businesses and consumers. Only those meeting specific quantitative thresholds qualify. Seven companies have been designated so far: Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, and Booking.com (added May 2024).
Core DMA Definitions
Gatekeeper
A provider of one or more core platform services that meets the three cumulative criteria set out in Article 3(1) of the DMA: it has a significant impact on the EU internal market, it provides a core platform service that serves as an important gateway for business users to reach end users, and it holds an entrenched and durable position. These qualitative criteria are presumed satisfied when specific quantitative thresholds are met - EUR 7.5 billion annual EU turnover or EUR 75 billion market capitalisation, at least 45 million monthly active end users, and at least 10,000 yearly active business users in the EU.
Core Platform Service (CPS)
Article 2(2) lists the digital services within the DMA's scope: online intermediation services, search engines, social networks, video-sharing platforms, messaging apps, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services. Not every service a gatekeeper provides qualifies - only those specifically designated by the Commission. As of early 2026, 23 services across seven gatekeepers have been designated.
End User
Article 2(20) defines an end user as any natural or legal person using core platform services other than as a business user. If you browse Google Search or install apps from the App Store, you are an end user. Many DMA obligations protect end users' ability to switch services, port their data, and control how their personal information is combined across platforms.
Business User
A natural or legal person acting in a commercial or professional capacity that uses core platform services to reach end users. App developers on the App Store, merchants on Amazon Marketplace, and advertisers on Google Ads are all business users. The DMA grants them specific protections, including the right to offer products at different prices through competing channels and communicate directly with customers acquired via the platform.
Obligations and Prohibitions: The DMA's Do's and Don'ts
The DMA's core rules are split across three articles. Article 5 sets out absolute obligations that apply to all gatekeepers without modification. Article 6 contains obligations that can be further specified through regulatory dialogue with the Commission. Article 7 governs messaging interoperability.
| Article | Type | Key obligations |
|---|---|---|
| Article 5 | Absolute obligations | No cross-use of personal data without consent; no anti-steering clauses; no bundling of CPS; advertising transparency |
| Article 6 | Specifiable obligations | No self-preferencing in ranking; allow third-party app stores; data portability; search data sharing; no use of business user data for competition |
| Article 7 | Interoperability | Messaging services must support basic interoperability with third-party providers |
Self-preferencing
Article 6(5) prohibits gatekeepers from treating their own services or products more favourably in ranking and related indexing than equivalent third-party offerings. The provision drew directly from the Google Shopping competition case, where the Commission found that Google promoted its own comparison-shopping service in search results while demoting rivals. Under the DMA, this behaviour is prohibited outright - no need to prove market dominance or anti-competitive effects first.
Anti-steering
Article 5(4) requires gatekeepers to allow business users to communicate offers to end users and direct them to alternative purchase options outside the gatekeeper's platform, free of charge. Apple's EUR 500 million fine in April 2025 related directly to this provision - the Commission found that Apple's App Store rules prevented developers from telling users about cheaper purchasing options on the web.
Data Combination and Cross-use
Article 5(2) prohibits gatekeepers from combining personal data from their core platform service with data from other services they provide, or with data from third parties, unless the end user gives explicit consent under the GDPR standard. This directly targets the practice of building detailed user profiles by merging activity across multiple platforms. Meta's EUR 200 million fine arose from its "pay or consent" model, which the Commission found did not offer a genuine, less personalised alternative as required.
How the DMA Relates to the GDPR and ePrivacy
The DMA does not replace the GDPR or the ePrivacy Directive. Recital 12 states explicitly that it operates without prejudice to these regulations. Gatekeepers must comply with all three frameworks simultaneously.
Where the DMA and GDPR intersect most visibly is around consent. Article 5(2) DMA restricts the lawful bases available to gatekeepers for certain data processing. For combining or cross-using personal data across services, gatekeepers may only rely on consent, legal obligation, vital interests, or public interest - effectively excluding both contractual necessity and legitimate interest. The DMA uses the GDPR's definition of consent but applies it more strictly: if a user refuses, the gatekeeper cannot ask again for the same purpose within one year.
In October 2025, the European Commission and the EDPB published draft joint guidelines on this interplay, covering consent, data portability, and data access. The guidelines remain under consultation and have drawn debate - particularly around whether they risk creating a new wave of consent popups similar to the cookie consent fatigue that already frustrates users.
Consent Under the DMA vs Consent Under the GDPR
| Aspect | GDPR consent | DMA consent (Article 5(2)) |
|---|---|---|
| Standard | Freely given, specific, informed, unambiguous (Article 4(11)) | Same GDPR standard, but applied more strictly for gatekeepers |
| Withdrawal | Must be as easy to withdraw as to give | Same rule; refusal must not be made more difficult than acceptance |
| Repeat requests | No explicit limit (though Italian DPA has said no more than once per six months for cookies) | No more than once per year for the same purpose |
| Alternative required | Service cannot be conditional on consent (but some flexibility) | Must offer a less personalised but equivalent alternative |
| Available legal bases | All six under Article 6(1) | Only consent, legal obligation, vital interests, or public interest |
Enforcement and Penalties
Fines
Article 30 allows the Commission to impose fines of up to 10% of a gatekeeper's total worldwide annual turnover for initial violations. Repeated infringements can attract penalties of up to 20%. Periodic penalty payments of up to 5% of average daily worldwide turnover apply to ongoing non-compliance.
Structural Remedies
Where a gatekeeper systematically fails to comply after a market investigation, the Commission can impose behavioural or structural remedies - including requiring the gatekeeper to divest parts of its business or separate specific services.
Compliance Reports
Article 11 requires each gatekeeper to submit annual compliance reports describing how it meets its obligations. These must include independently audited descriptions of consumer profiling techniques. Non-confidential summaries are published on the Commission's website.
Why the DMA Matters for Website Owners
Website owners are not directly regulated by the DMA - obligations fall on designated gatekeepers. But the knock-on effects are real. Google's EU User Consent Policy, requiring websites to obtain valid consent via Consent Mode v2, exists partly because of DMA restrictions on advertising data processing. Meta's changes to its consent model affect every business running Facebook or Instagram campaigns in the EU.
The DMA reinforces the importance of proper consent management. If your website feeds data into a gatekeeper's ecosystem through analytics tags, advertising pixels, or login integrations, the gatekeeper's compliance depends partly on the consent signals your site sends.
Running a cookie scan to identify which third-party scripts your site loads is a practical first step. Many sites unknowingly set tracking cookies from designated gatekeepers before obtaining user consent.
Frequently Asked Questions
Does the Digital Markets Act apply to my website?
The DMA's obligations apply directly to designated gatekeepers, not to ordinary websites. But if your site uses services from gatekeepers - such as Google Analytics, Meta advertising, or the Apple App Store - the gatekeeper's compliance measures (like Google's EU User Consent Policy) will affect how you collect and share data.
What is the difference between the DMA and the GDPR?
The GDPR is a data protection law that applies to any organisation processing personal data of EU residents. The DMA is a competition regulation targeting large tech platforms classified as gatekeepers. They overlap on consent requirements, but the DMA imposes additional restrictions on how gatekeepers combine and cross-use personal data across their services.
How are DMA gatekeepers selected?
The European Commission designates gatekeepers based on three criteria: significant impact on the EU internal market, operating a core platform service that is an important gateway between businesses and consumers, and holding an entrenched and durable market position. Quantitative thresholds include EUR 7.5 billion in annual EU turnover and at least 45 million monthly active end users.
What fines can the European Commission impose under the DMA?
Initial violations can result in fines of up to 10% of global annual turnover. Repeated infringements can reach 20%. The Commission can also impose daily periodic penalties of up to 5% of average daily worldwide turnover for ongoing non-compliance, and structural remedies such as requiring a gatekeeper to divest parts of its business.
Can a gatekeeper combine my data across its services without consent?
No. Article 5(2) of the DMA prohibits gatekeepers from combining personal data from one core platform service with data from their other services or from third parties unless the user gives explicit consent meeting the GDPR standard. If consent is refused, the gatekeeper cannot ask again for the same purpose within one year.
How does the DMA affect cookie consent on my website?
The DMA reinforces cookie consent requirements indirectly. Gatekeepers like Google now require websites using their advertising and analytics services to obtain valid consent before data is shared with the platform. This means your cookie banner and consent management setup must send proper consent signals - typically through mechanisms like Google Consent Mode v2.
What is meant by core platform service under the DMA?
A core platform service is a specific category of digital service listed in Article 2(2) of the DMA, including online search engines, app stores, social networks, messaging apps, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services. Only those services designated by the Commission for a specific gatekeeper are subject to DMA obligations.
Stay Ahead of Platform Policy Changes
As gatekeepers adjust their policies to comply with the DMA, downstream requirements for website owners will continue to shift. Keeping your consent management current - including proper consent signals, categorised cookies, and documented user choices - protects your site against both regulatory risk and platform enforcement. Kukie.io detects cookies from gatekeeper services, maps them to the correct categories, and ensures your consent signals meet the standards platforms now demand.
