Operationalise Digital Markets Act compliance without stalling product delivery

Executive overview

Digital platform regulation hardened in 2023–2024. The European Union’s Digital Markets Act (DMA) imposes prescriptive obligations on gatekeepers, including prohibitions on self-preferencing, mandated interoperability, and advertising transparency, with fines of up to 10 percent of worldwide turnover or 20 percent for repeat infringements.^{Regulation (EU) 2022/1925} The Digital Services Act (DSA) layers systemic risk mitigation, algorithmic accountability, and independent auditing duties on very large online platforms (VLOPs) and search engines (VLOSEs), using Article 74 to authorise fines up to 6 percent of global turnover.^{Regulation (EU) 2022/2065} The United Kingdom’s Digital Markets, Competition and Consumers Act 2024 empowers the Competition and Markets Authority’s Digital Markets Unit (DMU) to issue conduct requirements and targeted pro-competition interventions against firms with “strategic market status,” backed by penalty powers reaching 10 percent of global revenue for compliance failures.^{Digital Markets, Competition and Consumers Act 2024} In the United States, the Sherman Act and Clayton Act remain the foundation for monopolisation and merger control enforcement, with Section 2 addressing exclusionary conduct and Section 7 preventing acquisitions that may substantially lessen competition.^{15 U.S.C. §§ 1–715 U.S.C. § 18}

Executives need an operating model that satisfies each jurisdiction’s binding obligations while maintaining release velocity. This guide consolidates lessons from gatekeeper compliance workshops, DSA risk assessments, and antitrust litigation preparedness so platform leaders can allocate resources efficiently. It emphasises four imperatives: (1) formal governance and accountability structures, (2) technical capabilities that deliver mandated interoperability and data separation, (3) audit-grade transparency and documentation, and (4) agile product workflows that embed compliance gates without derailing innovation.

Use this playbook alongside Zeph Tech’s policy advocacy roadmap to coordinate regulatory engagement and with the board oversight guide to brief directors on enforcement exposure. The workflows described here support parallel compliance projects, from DMA Article 11 interoperability interfaces to DSA Article 34 systemic risk mitigations and UK conduct requirements tailored to strategic market status designations.

Legislative baseline

Digital Markets Act (Regulation (EU) 2022/1925). The DMA entered into force on 1 November 2022 and has applied since 2 May 2023, with the European Commission designating the initial gatekeepers on 6 September 2023.^{Regulation (EU) 2022/1925} Gatekeepers must comply with Articles 5, 6, and 7 obligations six months after designation. Article 5 prohibits combining personal data across core platform services without user consent and bars restrictions on business users’ ability to offer goods outside the gatekeeper’s ecosystem. Article 6 imposes obligations that may be further specified, such as allowing third-party interoperability with the gatekeeper’s operating system, app stores, or hardware features, and enabling users to uninstall preinstalled apps. Article 7 governs FRAND (fair, reasonable, and non-discriminatory) access to app stores, search engines, and social networks.

The Commission can open market investigations under Articles 17–22 to determine additional core platform services, evaluate systemic non-compliance, or assess whether new services should be included. Remedies may extend to structural separation when behavioural obligations fail. Organisations must therefore maintain documentation that demonstrates how each product release aligns with the specified obligations and be ready to furnish access to data or interfaces requested through Article 21.

Digital Services Act (Regulation (EU) 2022/2065). The DSA entered into force on 16 November 2022, with general application from 17 February 2024. Very large online platforms and search engines (≥45 million monthly active EU recipients) face accelerated timelines: once designated, they must implement risk assessments (Article 34), risk mitigation (Article 35), independent audits (Article 37), and data access for regulators and vetted researchers (Article 40).^{Regulation (EU) 2022/2065} Transparency reporting (Article 15), notice-and-action mechanisms (Article 16), and statements of reasons (Article 17) apply to all hosting services. Digital ads require repositories and disclosure of targeting parameters (Articles 26–39). Coordination with DMA programmes is critical because the same services may have overlapping obligations, such as data access interfaces that must satisfy both DMA interoperability and DSA researcher access requirements.

United Kingdom Digital Markets, Competition and Consumers Act 2024. The Act establishes a statutory framework for designating firms with “strategic market status” (SMS) in relation to digital activities that confer substantial and entrenched market power and a position of strategic significance.^{Digital Markets, Competition and Consumers Act 2024} Once designated, the CMA’s DMU can issue conduct requirements aimed at fair trading, open choices, and trust and transparency. It can also impose pro-competition interventions to address root causes of competition issues, including mandating interoperability, imposing data separation, or requiring functional changes. The Act grants investigative powers (information notices, interviews, dawn raids) and penalties up to 10 percent of global turnover, plus daily penalties up to 5 percent of daily turnover for ongoing breaches. Board members and senior managers can face director disqualification for aiding non-compliance, reinforcing the need for strong accountability frameworks.

United States Sherman and Clayton Acts. The Sherman Act of 1890 prohibits contracts, combinations, or conspiracies in restraint of trade (Section 1) and monopolisation, attempted monopolisation, or conspiracy to monopolise (Section 2).^{15 U.S.C. §§ 1–2} The Clayton Act of 1914 supplements antitrust enforcement by targeting specific practices, including mergers and acquisitions that may substantially lessen competition (Section 7).^{15 U.S.C. § 18} Recent cases—such as the DOJ’s monopolisation suits against digital advertising platforms and state-led litigation targeting mobile ecosystems—demonstrate continued reliance on these statutes. Corporate compliance programmes should document market share data, pricing, access policies, and interoperability decisions to defend against allegations of exclusionary conduct or anticompetitive tying.

Cross-jurisdictional harmonisation is essential. Firms operating across the EU, UK, and U.S. must maintain central repositories of commitments, product changes, and regulatory correspondence. This guide assumes readers are coordinating legal, engineering, and public policy teams across these jurisdictions. Where obligations diverge, we flag decision points and suggest escalation paths to senior leadership and boards, aligning with the governance rhythms in the board oversight blueprint.

Governance structure

Centralise accountability around a digital markets steering committee chaired by the Chief Legal Officer (or General Counsel) with co-sponsorship from the Chief Product Officer and Chief Compliance Officer. Establish subcommittees focused on DMA/DSA execution, UK SMS compliance, and U.S. antitrust risk. Each subcommittee should track action items, key performance indicators, and risk escalations.

Roles and responsibilities. Assign a DMA compliance lead empowered under Article 11 to interface with the Commission and respond to information requests. Pair them with engineering programme managers who coordinate technical backlogs for interoperability, data access, and default settings. Create a DSA risk officer responsible for Article 34 risk assessments and Article 37 audits. In the UK, designate an SMS conduct owner who engages with the DMU on conduct requirements and pro-competition interventions. For the U.S., maintain an antitrust litigation response team with outside counsel contacts, economic experts, and document preservation protocols.

Policies and documentation. Draft a Digital Markets Compliance Policy approved by the board. The policy should summarise legislative obligations, require compliance impact assessments for product changes, and mandate consultation with legal before launching bundled offerings or exclusive contracts. Integrate the policy into the enterprise policy management system with version control and attestation tracking. The policy must reference DMA Article 30 reporting obligations, DSA transparency reports, DMCC Act conduct requirement enforcement, and U.S. litigation holds.

Decision rights. Use a RACI (responsible, accountable, consulted, informed) matrix for critical controls: interoperability interface changes, default setting adjustments, advertising transparency updates, data sharing decisions, and gatekeeper compliance reports. Align the matrix with board committees (audit, risk, technology) and include joint sign-off for high-risk actions (e.g., delaying interoperability rollouts). Document rationales for decisions, referencing legal advice, economic analysis, and customer impact assessments.

Escalation procedures. Establish 24-hour notification protocols for suspected breaches of Articles 5–7 or DSA systemic risk incidents. Escalations should route to the steering committee, board risk chair, and relevant regulators where required. For UK obligations, ensure the SMS conduct owner can notify the DMU of material developments in line with information notice timelines. In the U.S., maintain readiness to respond to civil investigative demands (CIDs) within statutory deadlines, with pre-approved document review vendors and data rooms.

Training and awareness. Deliver role-based training for product managers, engineers, sales, and support teams. Training should cover the prohibitions on combining personal data without consent (DMA Article 5(2)), preventing anti-steering clauses (Article 5(3)), and enabling third-party interoperability (Article 6(7)). Include DSA requirements on recommender system transparency (Article 27) and ad repository maintenance (Article 39). For UK staff, focus on DMCC conduct requirements and the consequences of non-compliance, including personal liability exposure. In the U.S., emphasise behaviours that could trigger Section 2 scrutiny (exclusive dealing, tying, predatory pricing) and Section 1 risks (collusion in marketplace rules). Track completion and comprehension scores; escalate knowledge gaps to management.

Interoperability commitments

The DMA mandates interoperability across messaging, social networking, operating systems, and hardware. Article 6(7) requires gatekeepers to provide effective interoperability for third-party software and hardware features, including ensuring access to the same operating system interfaces available to first-party services.^{Regulation (EU) 2022/1925} Article 7 extends obligations to app store ranking, search indexing, and social networking, demanding FRAND access.

Inventory interfaces. Catalogue all APIs, SDKs, system services, and private interfaces used by first-party products. Map current access controls, rate limits, and documentation quality. Identify gaps where third parties lack parity. Maintain this inventory in a compliance management tool with version history and change approval logs. Align interface documentation with the developer enablement guide to ensure developer experience standards.

Design authority. Create an interoperability design authority comprising engineering leads, security architects, and legal counsel. The authority reviews interface change requests, ensures FRAND principles, and coordinates rollouts. Adopt RFC-style proposals requiring analysis of DMA compliance impacts, security implications, and user experience changes. Provide regulators with advance notice when required, documenting how security concerns justify limitations (Article 8).

Security balancing. Implement dual-track reviews: (1) compliance ensures obligations are met; (2) security assesses risk of malicious exploitation. When imposing restrictions, record detailed justification referencing Article 8 proportionality requirements. Maintain audit trails of penetration testing, rate limit rationales, and anomaly detection capabilities. Prepare to share technical documentation with the Commission or national coordinators during investigations.

Messaging interoperability. For communication services designated under Article 7(2), develop federation gateways that support end-to-end encryption while enabling cross-provider messaging. Document protocol choices (e.g., MLS, Matrix), data minimisation strategies, and fallback paths. Provide third parties with conformance test suites and certification programmes. Monitor quality metrics (delivery time, failure rates) to evidence non-discriminatory treatment.

Mobile OS controls. For operating systems designated as core platform services, ensure third-party app stores and sideloading mechanisms access the same APIs used by first-party stores. Publish security vetting criteria, code signing requirements, and sandbox policies. Provide developer support channels with SLA tracking. Document user consent flows when changing defaults or presenting choice screens mandated by Article 6(3). Align with DSA transparency requirements for app ranking algorithms and recommender systems.

Testing and validation. Establish interoperability labs that simulate third-party integrations. Use automated regression tests to detect changes affecting access. Provide regulators with test results when seeking compliance validation. Maintain logs of third-party complaints, response times, and resolution outcomes. Feed metrics into the compliance dashboard described in the metrics section.

Data use and separation

Article 5(2) of the DMA forbids gatekeepers from combining personal data sourced from different core platform services without explicit user consent. Article 5(3) prohibits preventing business users from offering products outside the gatekeeper’s ecosystem and from using business user data in competition with them. The DMCC Act enables the DMU to impose data separation remedies, while U.S. cases often examine whether dominant platforms leveraged data to foreclose rivals. Compliance requires granular data governance.

Data mapping. Maintain a living data inventory identifying datasets by origin (user-provided, observed, inferred), associated services, and legal basis for processing. Flag data flows crossing service boundaries (e.g., app store analytics feeding advertising targeting). Document user consent status and revocation mechanisms. Use data lineage tools integrated with access controls to enforce separation.

Consent management. Implement consent screens that satisfy GDPR standards and DMA expectations. Provide granular toggles for combining personal data across services. Log consent capture, withdrawal, and enforcement. Align with DSA Article 26 restrictions on targeted advertising using special category data and child users.

Business user protections. Establish technical measures that prevent first-party teams from accessing business user data beyond aggregated analytics. Use role-based access controls, data masking, and monitored data rooms. Document policies that restrict using business user performance metrics to launch competing products. In the UK, prepare to demonstrate compliance if the DMU imposes conduct requirements emphasising fair dealing and data fairness.

Advertising transparency. Build ad repositories capturing creative content, targeting parameters, delivery metrics, and funding entities. Ensure compliance with DSA Articles 39–40. For DMA obligations, provide business users with reporting interfaces to review campaign performance and pricing. Document service-level agreements for data availability. When interfacing with U.S. investigations, maintain logs showing nondiscriminatory access to advertising data and auction mechanics.

Incident response. Integrate data separation breaches into incident response plans. Trigger notifications to compliance leads and regulators within statutory timelines when personal data is combined without consent or business user data is misused. Conduct root cause analysis with remediation tracking. Report outcomes to the board and maintain evidence for potential Commission inspections.

Transparency and audits

The DSA imposes rigorous transparency obligations, including annual risk assessments, independent audits, and algorithmic disclosures. The DMA requires gatekeepers to submit annual compliance reports (Article 11). UK SMS firms must comply with DMU reporting directions, while U.S. consent decrees or litigation settlements often mandate periodic reporting.

Risk assessments. Conduct Article 34 systemic risk assessments covering dissemination of illegal content, impact on fundamental rights, civic discourse, public security, and gender-based violence. Document methodologies, risk severity ratings, and mitigations. Align assessment cadences with DMA compliance reporting cycles and DMU monitoring. Store risk registers in a governance, risk, and compliance (GRC) platform with version control.

Independent audits. Arrange annual DSA audits with accredited independent auditors. Provide auditors with access to documentation, data samples, and personnel. Track findings, remediation plans, and deadlines. Share summaries with the European Commission and, where applicable, national digital services coordinators. Evaluate whether audit results affect DMA obligations or UK conduct requirements, ensuring cross-reporting.

Transparency reports. Publish DSA Article 15 transparency reports covering content moderation, notices received, action taken, and average processing times. Provide data on recommender system parameters and user appeals. For DMA Article 11 reports, structure content around each obligation, product changes implemented, metrics, complaints received, and future plans. Deliver reports in machine-readable formats. Maintain archives for at least five years, ready for regulator inspection.

Researcher access. Implement Article 40 researcher access workflows. Vet applications, evaluate legitimate research objectives, and provide secure data access environments. Monitor for misuse, enforce confidentiality, and document revocation procedures. Coordinate with privacy teams to ensure GDPR compliance. Share aggregated insights with compliance committees to refine risk mitigations.

Appeals and dispute resolution. Provide business users with dispute resolution mechanisms, including internal complaint handling and access to mediation (Article 21). Track resolution times, outcomes, and themes. Use analytics to identify systemic issues requiring product or policy changes. Feed insights into DMU engagements and U.S. litigation risk assessments.

Market investigations and enforcement posture

EU Commission interactions. Prepare for Article 20 market investigations into systematic non-compliance by maintaining evidence of remedial efforts, engagement logs, and internal audits. If the Commission opens proceedings, activate an investigation playbook: establish a dedicated response team, secure legal privilege, gather documentation, and coordinate messaging. Conduct internal interviews with notes under legal privilege to prepare for potential formal statements of objections.

UK DMU processes. During SMS designation, provide accurate responses to information notices within statutory deadlines (minimum 14 days). Maintain readiness for DMU monitoring requests, including data on KPIs, consumer outcomes, and remedy effectiveness. If the DMU proposes pro-competition interventions, respond with evidence-based submissions, alternative remedy proposals, and implementation plans aligned with product roadmaps. Track commitments and embed them into programme management tools.

U.S. litigation preparedness. For Sherman Act exposure, maintain antitrust compliance manuals, privilege logs, and communication protocols. Implement document retention and legal hold procedures triggered by agency investigations or litigation threats. Coordinate economic analysis to model market definition, competitive effects, and efficiencies. Monitor legislative developments (e.g., potential reforms targeting digital platforms) and integrate them into strategic planning.

Global coordination. Establish a regulatory response room using secure collaboration platforms. Document interactions with EU, UK, and U.S. authorities; share insights across teams to maintain consistency. Use scenario planning to prepare for multi-jurisdictional enforcement actions, including simultaneous EU fines, UK penalties, and U.S. court orders. Align with compliance operations control room practices for crisis management.

Product delivery integration

Embedding compliance into product development is essential to avoid launch delays. Adopt a “policy DevOps” approach that integrates legal sign-off, engineering tasks, and quality assurance into standard sprint rituals.

Product requirement documents (PRDs). Update PRD templates to include a compliance section summarising DMA, DSA, DMCC, and U.S. antitrust considerations. Require product teams to consult compliance leads during ideation. Document trade-offs, user testing results, and mitigation plans. Store approved PRDs in a central repository accessible to auditors.

Design reviews. Schedule compliance checkpoints during design reviews. Legal and policy leads evaluate UI flows for consent capture, default settings, choice screens, and dispute resolution. Security reviews assess data access and logging. Capture minutes, decisions, and follow-up tasks. For high-risk features (e.g., recommender system changes), require executive approval.

Sprint integration. Add compliance stories to backlogs with clear acceptance criteria (e.g., “Interoperability API exposes feature parity, documented at developer portal,” “Ad repository includes new targeting attributes with audit trail”). Use product operations to monitor burndown charts and escalate slippage. Align release schedules with regulatory deadlines (DMA compliance six months post-designation, DSA annual audits, UK conduct requirement reviews).

Testing and QA. Extend automated test suites to validate compliance controls: verifying choice screen presentation, ensuring data separation, confirming API access parity, and checking logging coverage. Implement manual QA scripts for user consent flows and transparency reporting. Document test results, defect remediation, and regression cycles. Share outputs with auditors and regulators as evidence.

Release management. Create release gates that require compliance sign-off before deployment. Integrate with CI/CD pipelines to block releases lacking approvals. Maintain change logs referencing relevant legislative articles and obligations. Provide regulators with release notes upon request, demonstrating proactive compliance.

Metrics and evidence

Quantitative and qualitative metrics demonstrate compliance maturity to regulators, boards, and executives.

Key performance indicators.

• Interoperability parity score. Percentage of first-party API endpoints made available to third parties within 30 days of internal release.
• Consent fidelity rate. Proportion of cross-service data uses linked to valid user consent, measured via log sampling.
• Business user dispute cycle time. Average days to resolve DMA Article 21 complaints, segmented by outcome.
• Transparency cadence. On-time submission rate for DSA transparency reports, DMA compliance reports, and DMU monitoring returns.
• Audit remediation velocity. Percentage of DSA audit findings resolved within 90 days.
• Regulatory inquiry load. Volume of information requests by jurisdiction per quarter, with response SLAs.

Dashboards. Build dashboards integrating data from product analytics, compliance workflows, and legal trackers. Provide board-level summaries quarterly. Include narrative context, upcoming deadlines, and risk heatmaps. Align with ESG accountability metrics when reporting on user safety and rights impacts.

Evidence repositories. Maintain structured evidence folders for each obligation: consent logs, API documentation, transparency reports, audit results, complaint records, incident logs, regulatory correspondence, and board briefings. Use consistent naming conventions and metadata tags. Provide auditors and regulators secure access when required.

Roadmap and calendar

Build a multi-year roadmap aligning regulatory deadlines with product and compliance milestones.

Short-term (0–6 months). Finalise DMA compliance workstreams triggered by recent designations. Deliver updated consent flows, interoperability APIs, and transparency reports. Complete DSA risk assessments and audits for the current designation cycle. Respond to DMU SMS information requests and prepare for potential conduct requirements.

Medium-term (6–18 months). Anticipate additional DMA designations or service expansions. Develop automation for Article 40 researcher access. Prepare for DMU pro-competition interventions, including potential structural or functional remedies. Monitor U.S. legislative proposals and enforcement trends; update risk assessments accordingly.

Long-term (18–36 months). Plan for possible DMA revisions following Article 38 evaluations. Evaluate infrastructure for enduring interoperability (e.g., standardised protocols, third-party developer support). Invest in compliance tooling, machine-readable transparency reporting, and automated audit evidence collection. Refresh training and governance structures annually.

Calendar checkpoints. Maintain a central calendar integrating EU, UK, and U.S. deadlines. Include DMA report submission dates, DSA audit periods, DMU review milestones, and U.S. litigation filings. Synchronise with policy calendar updates. Use reminders and runbooks to ensure timely delivery.

Appendix: Cross-functional artefacts

Template library. Provide standard templates for DMA compliance reports, DSA risk assessments, DMU conduct requirement responses, antitrust litigation holds, and interoperability change requests. Store them in the compliance operations knowledge base.

Reference materials. Maintain a curated library of legislative texts, regulatory guidance, Commission Q&As, DMU policy statements, and U.S. agency guidelines. Link to third-party risk procedures for vetting suppliers supporting compliance tooling.

Continuous improvement. Conduct quarterly retrospectives evaluating compliance incidents, regulatory feedback, and stakeholder satisfaction. Document action items, assign owners, and track completion. Share lessons learned with policy advocacy teams to refine engagement strategies.

Integration with enterprise risk. Map digital markets risks to enterprise risk taxonomies. Update risk appetite statements with explicit references to DMA fines, DSA systemic risk liabilities, DMU penalties, and U.S. treble damages exposure. Present updates to the audit committee alongside other regulatory risks.

Future-proofing. Monitor legislative developments, including potential EU DMA amendments, implementation of the EU Data Act, UK investigations into cloud services, and U.S. congressional proposals targeting app stores and advertising markets. Integrate change alerts into compliance dashboards and notify the steering committee for impact assessment.