The Commission’s Seven Claims, Tested

The list is long. But it is a list of inputs, not outputs. As ICLE’s response to the DMA review consultation “openness” under the DMA is “too often tallied by counting access points, rather than benefits to users.” Article 6(4) was meant to enable alternative app stores, but “true success should entail entry that yields lower prices, higher quality, or greater innovation for end users without degrading security or privacy. Treating ‘more app stores’ as a sufficient metric mistakes means for ends.” Lazar Radic, Geoffrey Manne, and Dirk Auer make the same point at length in their Berkeley Business Law Journal article.

Three further problems compound this category error.

First, the Commission offers no counterfactual. It attributes the Aloha, Opera, Firefox, and Epic figures to DMA enforcement, but never shows that those changes would not have occurred otherwise. The figures are vendor-reported, and percentage increases from small bases reveal little about absolute competitive significance.

Second, the Commission does not net out the costs. Louis-Daniel Pape and Michelangelo Rossi (2025) found a 21% increase in user searches for mapping services after Google had to remove integrated Maps from search results, with no comparable increase in traffic to competing mapping services. Pablo Delgado has documented a 30% drop in direct hotel bookings through Google Hotel Ads in DMA-affected markets, with the principal beneficiaries being intermediaries such as Booking.com—itself a gatekeeper—Tripadvisor, and Trivago. Carmelo Cennamo, Tobias Kretschmer, Ioanna Constantiou, and Eliana Garcés (2025) estimate aggregate revenue losses of up to €114 billion across EU service sectors.

Third, the Commission’s own caveats partly undercut several apparent successes. Within months of Article 6(4) compliance, the first pornographic app was distributed through an alternative iOS marketplace. Google’s compliance workshop showed that users are roughly 50 times more likely to encounter malware outside the Play Store. The two interoperable messaging apps the Commission cites—BirdyChat and Haiket—are, at best, technical proofs-of-concept, not credible competitors.

Judged by consumer welfare—the benchmark that ultimately matters for consumers—the evidence is mixed. For several specific provisions, it is likely net-negative.

Three problems undercut this verdict.

First, the DMA’s substantive design is, as ICLE’s response to the DMA review consultation put it, “uncarefully drafted.” The text is “often vague and cumbersome,” creates legal uncertainty, and was drafted “without sufficient regard for the tradeoffs.” The asymmetry between Article 5, which is presumed self-executing, and Article 6, which allows specification, creates perverse incentives. A gatekeeper uncertain about an Article 5 obligation can obtain clarification only by risking a finding of circumvention.

Second, the DMA’s procedural framework offers thinner protections than either the merger regime or the ordinary competition-law regime, despite authorizing comparable—or larger—sanctions. Response windows may be too short for complex economic argument. Oral hearings are limited. Access to the file is restricted.

Under the European Court of Human Rights’ Engel criteria, and the Court of Justice of the European Union’s jurisprudence on effective judicial protection, DMA sanctions of up to 20% of worldwide turnover are plausibly criminal or quasi-criminal in nature. The DMA’s procedural framework falls short of the safeguards one would expect for penalties of that severity.

Third, the DMA’s legal foundations remain contested. Thibault Schrepel and Maximilian de Boiscuillé’s “Questioning the Digital Markets Act’s Legality” argues that the DMA, “administered by the Commission as a standing regime of unilateral conduct control that operates alongside, and in close normative proximity to, Article 102 TFEU,” raises “structural doubts as to the DMA’s compatibility with the constitutional framework of the Treaties.” Alfonso Lamadrid and Nieves Bayón Fernández made a similar point at the proposal stage.

The Commission reaches its “fit for purpose” verdict without engaging the live possibility that core elements of the DMA may not survive judicial review.

The deeper irony is that the Commission has acknowledged that expanding the regime to AI and cloud may be “premature,” while simultaneously extending the regime into AI and cloud through specification proceedings and market investigations. This illustrates a broader chronic regulation problem: A regime that requires continuous oversight, perpetual negotiation, and ever finer calibration is not future-proof. It is a permanent regulatory presence dressed up as a competition rule.

The Commission starts from the wrong premise: It equates more consent flows with user empowerment.

The Meta decision illustrates the problem. As Mikołaj Barczentewicz has argued, the Commission’s reading of “equivalent alternative” effectively requires gatekeepers to provide a free, less-personalized-ads option. The Commission’s Meta decision sends a clear signal that it will pay no attention to the economic consequences of DMA enforcement on gatekeepers. That is not a regime built around user choice. It is a regime that prescribes a particular business model—nonpersonalized advertising—regardless of what users themselves prefer.

The empirical record on portability is no stronger. As Geoffrey Manne and Sam Bowman warned portability mandates are not self-executing competition remedies and may even weaken entrants’ ability to retain users long enough to recoup investment. Later evidence reinforces that concern. Jian Jia, Ginger Zhe Jin, and Liad Wagman (2021) find that the General Data Protection Regulation reduced venture deals and financing, “particularly for newer, data-related, and business-to-consumer ventures.” The authors’ NBER follow-up with Mario Leccese (2025) finds reduced U.S. investment in EU startups, again concentrated among newer and data-related firms.

Against that backdrop, the Commission’s celebration of “around 40” developer API integrations and “thousands” of users downloading their data offers thin evidence of DMA success—especially after years of mandated implementation, and in services designated as gatekeepers only after they reach at least 45 million monthly active EU end users.

Worse, the DMA’s consent and portability regime collides with privacy and security. ICLE’s response to the joint European Data Protection Board-Commission DMA/GDPR consultation explains that the draft guidelines require gatekeepers to present porting choices “in a neutral and objective manner”—even where a choice could expose an entire account—and bar them from gathering information about a third party’s GDPR compliance record.

Amazon’s 2025 DMA workshop showed that more than 75% of portability-access applicants were based outside the EU, many apparently data aggregators with opaque privacy policies. Apple likewise reported that some interoperability requesters sought access broad enough to read every message and email on a user’s device.

That is not user empowerment. It is friction—and risk—rebranded as empowerment, then counted as success.

This is where the Commission’s structural-metrics approach is most enthusiastic, and where the welfare costs are most visible.

The security tradeoff should come first. As ICLE scholars argued in comments on Apple iOS interoperability, opening up operating systems raises significant risks: skimming, relay attacks, NFC-triggered malware, and broad-access vulnerabilities of the kind that produced the Microsoft/CrowdStrike outage in July 2024. Apple’s December 2024 “It’s Getting Personal” documents specific cases in which business users invoked Article 6(7) to seek access to user data they did not need for interoperability and that, in the wrong hands, would enable surveillance. Mikołaj Barczentewicz’s analysis of the Apple specification decisions found that they consistently subordinate user privacy and security to the demands of complaining business users.

Then there is Article 6(11), which the Commission’s own caveats partly undercut. There has been “no meaningful uptake” of Google’s search dataset, two years in, despite Article 6(11)’s FRAND mandate and the Commission’s subsequent specification efforts. The Kluwer Competition Law Blog summary of Google’s compliance workshop reports that competing search providers estimate “only 1–2% of the whole database is actually productive data.” This is the predictable result of forcing data-sharing without first showing that data is actually a barrier to entry.

Finally, there is Article 7. The two interoperable messaging apps the Commission cites—BirdyChat and Haiket—are not meaningful entrants or competitors. Nor is there much evidence that mandated interoperability will shift users away from gatekeeper messaging services. Jens Prüfer Tas, Lars Wiewiorra, and Andreas Liebe (2024) survey 2,826 German consumers and find that their expected response to DMA interoperability would largely preserve—or even strengthen—gatekeeper services, while use of alternative number-independent interpersonal-communications services may fall. And the Commission’s own study on social-network interoperability found no clear demand for interoperability between designated social networks.

Counting structural changes is not the same as demonstrating welfare gains.

Two points cut against the Commission’s confidence.

First, AI markets appear competitive, with no evidence they are prone to tipping. There is no single, monolithic “AI market.” Competition occurs across applications, models, infrastructure, and task-specific use cases. Nor does the familiar “data moat” story carry the argument. Data often has diminishing marginal returns, while quality, relevance, engineering, compute strategy, distribution, and open-source innovation can matter more than scale alone.

There is also little evidence that the proliferation of AI partnerships warrants tighter competition scrutiny. The competitive landscape remains active across the stack, and DeepSeek’s emergence shows how efficient training and open-weight models can quickly unsettle assumptions about scale-driven dominance.

Second, the cloud market is not as concentrated as the Commission’s narrative implies. ICLE’s comments on the Competition and Markets Authority’s cloud-market inquiry showed that, even on Synergy’s broad infrastructure-as-a-service share figures—AWS at 32%, Azure at 23%, Google at 10%, Alibaba at 4%, and IBM at 3%—the maximum HHI is 2,462. That falls within the “moderately concentrated” range under the 2010 U.S. Merger Guidelines.

Customers multi-home, switch in response to pricing, and pursue multicloud strategies. The qualitative-designation route now being pursued against AWS and Azure is itself a procedural concern: The same factors the Commission is using to initiate designation have proven insufficient when companies seek to rebut designation.

The deeper concern is the “digital curtain” effect. The DMA has led to a steady stream of delayed launches in the EU, including Apple Intelligence, AirPods live translation, Gemini, AI Overviews, and Meta’s multimodal AI capabilities. As Dirk Auer put it in his December 2025 testimony to the U.S. House Judiciary subcommittee, “the EU’s primary export in the digital age has become regulation itself, rather than digital services.”

Extending the DMA further into AI would multiply the same regulatory uncertainty that produces those withholdings.

The harmonization claim is the weakest of the seven. The Commission presents it in counterfactual terms, with no empirical evidence. The actual record points the other way.

The DMA has not harmonized EU digital competition rules so much as layered new rules on top of old ones. Article 1(6) expressly preserves member states’ ability to apply national competition rules to non-gatekeepers and to impose additional obligations on gatekeepers in pursuit of other public-interest objectives. Germany’s GWB §19a regime is functionally equivalent to the DMA, but operates alongside it. The Bundeskartellamt has opened proceedings against Google and Meta on data, against Apple on self-preferencing, and against Amazon on price filters—all matters squarely within the DMA’s scope. As Giuseppe Colangelo documented in his ICLE white paper at the DMA’s start, the regime creates real ne bis in idem risk that the Court of Justice of the European Union’s bpost and Nordzucker judgments resolve only conditionally.

Meanwhile, the Commission has continued to bring traditional Article 102 cases against the same gatekeepers, including the €2.95 billion Google AdTech fine, the €1.8 billion Apple App Store fine, and ongoing cases on AI Overviews and Meta’s WhatsApp AI ban. If competition law was sufficient before—and the Commission’s own enforcement record suggests it remains the principal tool—the DMA’s marginal value is much smaller than the harmonization argument implies.

Mikołaj Barczentewicz has traced how the DMA has come to function as a de facto digital tax on American technology companies, with the Office of the U.S. Trade Representative’s 2025 National Trade Estimate Report flagging EU digital measures as trade barriers—an external cost the harmonization calculation does not net out.

The Commission’s procedural self-assessment amounts to this: It has been able to use its tools. A devil’s advocate would ask whether using a tool proves the tool works well.

The designation regime is procedurally asymmetric. Article 3(8) allows the Commission to designate below-threshold services after a market investigation. But companies seeking to rebut a threshold-based presumption under Article 3(5) must present sufficiently substantiated arguments that “manifestly call into question” the Article 3(2) presumptions. The contrast between iPadOS (designated despite failing the relevant user thresholds) and iMessage (not designated despite meeting the quantitative thresholds) illustrates the breadth of Commission discretion.

This reflects a broader problem. “Regulatory dialogue” has become a euphemism for opaque, indeterminate compliance negotiations in which gatekeepers bear the burden of designing, demonstrating, and defending their own compliance architecture. As Apple reportedly noted at its 2025 workshop, “no two people agree on what the DMA’s substantive obligations mean.” In a regime carrying fines of up to 20% of worldwide turnover for repeated infringements, that ambiguity raises serious rule-of-law concerns.

Specification proceedings under Article 8(2) are shifting the Commission’s mission from policing competitive constraints to directing system design. The noncompliance decisions reveal a regulatory philosophy that pays little attention to the economic consequences of DMA enforcement on gatekeepers. And the procedural concerns Lazar Radic raised in 2023 about the draft Implementing Regulation—response windows, oral-hearing rights, and access to the file—remain.

The Commission’s claim that “most respondents appreciated” the Implementing Regulation reflects who responded, not the substance of the concerns raised.