The Digital Markets Act (DMA) grace period for gatekeepers to comply has now ended.

The DMA is EU legislation that came into law on the 1st of November 2022 that aims to improve fairness, contestability and interoperability in very large platforms that operate in the EU that have significant and durable market power. In order to not impose expensive compliance obligations on small and medium businesses, the act only applies to truly massive companies with significant revenue that operate platforms used by tens of millions of EU consumers.

The DMA comes with serious teeth, they have the power to fine gatekeepers up to 10% of global revenue repeatedly until they comply with the act. For reference Apple had a global revenue of $383 billion USD in 2023 and their net profit was $100 billion USD, meaning that the maximum cost of a single fine under the DMA is $38.3 billion USD, a sum any gatekeeper would surely blink at. In the case of repeated non-compliance they can fine up-to 20% of global revenue in a single fine.

Currently there are six gatekeepers who have been designated: Amazon, Apple, Bytedance, Google, Meta, and Microsoft. Reportedly X (formerly Twitter) and travel website group Booking could be added to the list in the near future.

These gatekeepers have a number of “core platform services” that have been formally designated under the DMA. To be automatically designated the service must have at least 45 million users in the EU and at least ten thousand business users. Further they need to be of a type of platform covered by the act. Currently the types listed in the act are:

  • online intermediation services
  • online search engines
  • online social networking services
  • video-sharing platform services
  • number-independent interpersonal communications services
  • virtual assistants
  • cloud computing services
  • online advertising services
  • operating systems
  • web browsers

Being designated means that the gatekeeper must make sure the designated core platform service is fully compliant with the DMA before the end of the 6 month grace period. That grace period ended today. The DMA is ex-ante which means it is the gatekeepers responsibility to make sure and show that they are in compliance.

The core platform services that have been designated, split by type are:

Intermediation

  • Amazon Marketplace
  • Apple App Store
  • Google Maps
  • Google Play
  • Google Shopping
  • Meta Marketplace

Social Networks

  • Facebook
  • Instagram
  • LinkedIn
  • TikTok

Number-independent Interpersonal Communications Services

  • Messenger
  • Whatsapp

Online Advertising Services

  • Amazon
  • Google
  • Meta

Search

  • Google

Video Sharing

  • Youtube

Operating Systems

  • iOS
  • Android
  • Windows

Browsers

  • Chrome
  • Safari

That grace period has now officially ended, so what happens now? First each of the gatekeepers is required to have submitted a compliance report to the Commission as well as a public summary. Then, likely for the first few weeks nothing. The EU Commission is an evidence based organisation and will need time to assess how well each of the gatekeepers are complying with the DMA and select the highest priority targets to start proceedings against first.

Many observers, including us, believe that Apple due to its combative and belligerent approach will be the first to be hit, likely with multiple proceedings. Indeed fireworks came early with Apple’s attempt to sabotage Web Apps in the EU prior to the DMA coming into force.

Luckily for the web, Apple’s plan faced massive backlash. Our open letter to Tim Cook on the subject had 4640 individuals and 483 organisations sign. Signatures included two European MEPs (Karen Melchior & Patrick Breyer); a number of significant EU companies such as social media platform Mastodon; and individuals (advocating in their personal capacity) who work for SwissLife, Tchibo, W3C, Mozilla, Google, Microsoft, Vivaldi, BBC, Financial Times, ​​Red Hat, Oracle, Amazon, Wikimedia, Vercel, Netlify, Shopify, Spotify, AirBNB, Berlin University of the Arts, Open State Foundation - Netherlands, Cloudflare, Meta, Chase, Squarespace, Reddit, Atlassian, Maersk, Paypal, Salesforce, block, Adobe, ebay, Zynga, booking.com and thoughtworks; and many other developers and organisations from over 100 countries.

The EU Commission promptly opened an investigation into the matter.

Three days later Apple caved and reversed their decision to break all Web Apps in the EU for millions of consumers.

The EU Commission said in a statement that: “Contrary to Apple’s public representation, the removal of Home Screen Web Apps on iOS in the EU was neither required, nor justified, under the Digital Markets Act,”

Three European parliament MEPs — Karen Melchior, Tiemo Wölken, and Patrick Breyer — said in a statement to the Financial Times that it would be “in flagrant violation of the spirit, and likely the word of the DMA”, and reminded the company of the EU’s power to enforce fines of up to 10 percent of a company’s annual turnover under the new rules.

Given Apple is not a company that backs down easily or quickly, the only plausible explanation is that Apple’s lawyers decided that the plan to sabotage Web Apps in the EU (and in effect globally) would subject Apple to immediate and serious legal risk, and recommended reversing course. This is important as it shows that public outreach combined with regulatory intervention can curb the worst of Apple’s anti-competitive behaviour and not even their billion dollar a year legal budget is sufficient to maintain it. The combination of strong laws and advocacy can protect the open web.

Our non-profit organisation has two aims:

  • Fair and effective browser competition on all general purpose operating systems
  • Fair and effective Web App competition on all general purpose operating systems, in particular we are aiming for feature parity between Web Apps and Native Apps.

For readers who are unaware, Apple has effectively banned third party browsers on iOS for the last 15 years by preventing them from using their own browser engine. Instead third party browsers vendors were forced to build a thin user interface shell around the WebKit WkWebView shipped with iOS, making them reskinned versions of Safari.

This means there is no browser competition on iOS and that Apple can unilaterally set a ceiling on the feature set of Web Apps. Despite Apple repeatedly claiming that Web Apps are the alternative to their App Store, Web Apps are currently not able to effectively contest it due to missing features and bugs in Safari. No third party browser can improve the situation due to Apple’s browser engine ban.

With that context and these aims in mind, it's worth exploring the DMA and what changes it brings to the EU in relation to browsers, Web Apps and Web and what exactly the gatekeepers are obligated to do.

Key Passages

Recital 43

When gatekeepers operate and impose web browser engines, they are in a position to determine the functionality and standards that will apply not only to their own web browsers, but also to competing web browsers and, in turn, to web software applications.
Digital Markets Act - Recital 43

This section is particularly important as it outlines what the DMA’s purpose is in prohibiting banning browser engines. Specifically it is to prevent gatekeepers from blocking competitors from providing functionality to competing browsers and to “web software applications”.

This was likely, at least in part, based on the conclusions of the UK regulator who stated:

Apple generates revenue through its App Store, both by charging developers for access to the App Store and by taking a commission for payments made via Apple IAP. Apple therefore benefits from higher usage of native apps on iOS. By requiring all browsers on iOS to use the WebKit browser engine, Apple is able to exert control over the maximum functionality of all browsers on iOS and, as a consequence, hold up the development and use of web apps. This limits the competitive constraint that web apps pose on native apps, which in turn protects and benefits Apple’s App Store revenues. UK CMA - Interim Report into Mobile Ecosystems
(emphasis added)

Article 5(7)

Articles 5(7) The gatekeeper shall not require end users to use, or business users to use, to offer, or to interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper’s core platform services.
Digital Markets Act - Article 5(7)
(emphasis added)

This is the specific part of the act that actually prohibits gatekeepers from imposing browser engines. It does not allow the gatekeeper any leeway to prevent this.

Article 6(7)

Article 6(7) The gatekeeper shall allow providers of services and providers of hardware, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same hardware and software features accessed or controlled via the operating system or virtual assistant listed in the designation decision pursuant to Article 3(9) as are available to services or hardware provided by the gatekeeper. Furthermore, the gatekeeper shall allow business users and alternative providers of services provided together with, or in support of, core platform services, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features, regardless of whether those features are part of the operating system, as are available to, or used by, that gatekeeper when providing such services.

The gatekeeper shall not be prevented from taking strictly necessary and proportionate measures to ensure that interoperability does not compromise the integrity of the operating system, virtual assistant, hardware or software features provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.
Digital Markets Act - Article 6(7)

This article states that designated operating systems must provide API access to third parties for the purpose of interoperability (i.e. making their software/hardware work on or with the device). Importantly it states that this must be provided “free of charge”.

The “free of charge” appears to throw a spanner in the works of Apple’s Core Technology Fee which is a 50c per user per year fee for API access that Apple will charge for all app downloads (including app downloads from Apple’s App Store) of any developers that dares to list their app on a different app store on iOS. It’s hard to see how Apple’s lawyers possibly thought this would be compliant but does give some insight as to the level of hubris and belligerence that Apple is operating at here.

Gatekeepers are only allowed strictly necessary, proportional and justified security measures to prevent compromising “the integrity of the operating system”. Justified here means that the burden of proof is on the gatekeeper to show that the measure is strictly necessary and proportional.

Recital 49, Recital 52 and Article 6(5)

A gatekeeper can use different means to favour its own or third-party services or products on its operating system, virtual assistant or web browser, to the detriment of the same or similar services that end users could obtain through other third parties.
Digital Markets Act - Recital 49

In such situations, the gatekeeper should not engage in any form of differentiated or preferential treatment in ranking on the core platform service, and related indexing and crawling, whether through legal, commercial or technical means, in favour of products or services it offers itself or through a business user which it controls. To ensure that this obligation is effective, the conditions that apply to such ranking should also be generally fair and transparent. Ranking should in this context cover all forms of relative prominence, including display, rating, linking or voice results and should also include instances where a core platform service presents or communicates only one result to the end user.
Digital Markets Act - Recital 52
(emphasis added)

Article 6(5) The gatekeeper shall not treat more favourably, in ranking and related indexing and crawling, services and products offered by the gatekeeper itself than similar services or products of a third party. The gatekeeper shall apply transparent, fair and non-discriminatory conditions to such ranking.
Digital Markets Act - Article 6(5)

These recitals and articles state that the gatekeeper can not self-preference themselves in various forms of ranking. This could apply to the user interface design of iOS where in the settings Apple’s apps get special locations, various undermining of browser choice by Microsoft on Windows or Google prompting users to download Chrome on google.com or youtube.com in locations that competitors can not. All of these behaviours are now prohibited in the EU.

Article 6(3)

Article 6(3) The gatekeeper shall allow and technically enable end users to easily un-install any software applications on the operating system of the gatekeeper, without prejudice to the possibility for that gatekeeper to restrict such un-installation in relation to software applications that are essential for the functioning of the operating system or of the device and which cannot technically be offered on a standalone basis by third parties.

The gatekeeper shall allow and technically enable end users to easily change default settings on the operating system, virtual assistant and web browser of the gatekeeper that direct or steer end users to products or services provided by the gatekeeper. That includes prompting end users, at the moment of the end users’ first use of an online search engine, virtual assistant or web browser of the gatekeeper listed in the designation decision pursuant to Article 3(9), to choose, from a list of the main available service providers, the online search engine, virtual assistant or web browser to which the operating system of the gatekeeper directs or steers users by default, and the online search engine to which the virtual assistant and the web browser of the gatekeeper directs or steers users by default.
Digital Markets Act - Article 6(3)

This article mandates browser and search engine choice screens in the EU. Mozilla recently did a study that showed a well designed choice screen could cause significant changes in market share, specifically Firefox could increase its market share to 20%.

Article 6(4)

Article 6(4) The gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper. The gatekeeper shall, where applicable, not prevent the downloaded third-party software applications or software application stores from prompting end users to decide whether they want to set that downloaded software application or software application store as their default. The gatekeeper shall technically enable end users who decide to set that downloaded software application or software application store as their default to carry out that change easily.

The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.

Furthermore, the gatekeeper shall not be prevented from applying, to the extent that they are strictly necessary and proportionate, measures and settings other than default settings, enabling end users to effectively protect security in relation to third-party software applications or software application stores, provided that such measures and settings other than default settings are duly justified by the gatekeeper.
Digital Markets Act - Article 6(4)

This article states that operating system gatekeepers need to allow third parties to be able to install their apps both by other app stores and directly (i.e. via a link over the internet).

The gatekeeper is allowed to take strictly necessary, proportional and justified security measures to protect the integrity of the hardware or operating system.

Article 6(12)

Article 6(12) The gatekeeper shall apply fair, reasonable, and non-discriminatory general conditions of access for business users to its software application stores, online search engines and online social networking services listed in the designation decision pursuant to Article 3(9).

For that purpose, the gatekeeper shall publish general conditions of access, including an alternative dispute settlement mechanism.

The Commission shall assess whether the published general conditions of access comply with this paragraph.
Digital Markets Act - Article 6(12)

This states that the terms of the app stores shall be fair, reasonable and non-discriminatory. It seems likely the exact meaning of “fair” will be extensively litigated in the EU. The act contains this paragraph to explain what “fair” means in more detail:

Pricing or other general access conditions should be considered unfair if they lead to an imbalance of rights and obligations imposed on business users or confer an advantage on the gatekeeper which is disproportionate to the service provided by the gatekeeper to business users or lead to a disadvantage for business users in providing the same or similar services as the gatekeeper. The following benchmarks can serve as a yardstick to determine the fairness of general access conditions: prices charged or conditions imposed for the same or similar services by other providers of software application stores; prices charged or conditions imposed by the provider of the software application store for different related or similar services or to different types of end users; prices charged or conditions imposed by the provider of the software application store for the same service in different geographic regions; prices charged or conditions imposed by the provider of the software application store for the same service the gatekeeper provides to itself

Crucially the terms the gatekeeper is allowed to set is for being on the app store, not being on the operating system. Gatekeepers have no ability under the act to set terms for being on the operating system beyond strictly necessary, proportional and heavily justified security measures.

Article 13(4)

Article 13(4) The gatekeeper shall not engage in any behaviour that undermines effective compliance with the obligations of Articles 5, 6 and 7 regardless of whether that behaviour is of a contractual, commercial or technical nature, or of any other nature, or consists in the use of behavioural techniques or interface design.
Digital Markets Act - Article 13(4)

This article grants the commission extremely broad powers to prevent gatekeepers seeking to avoid their obligations via “malicious compliance”. Clearly it was anticipated that at least a few of the gatekeepers would seek to undermine and circumvent the act.

Article 13(6)

Article 13(6) The gatekeeper shall not degrade the conditions or quality of any of the core platform services provided to business users or end users who avail themselves of the rights or choices laid down in Articles 5, 6 and 7, or make the exercise of those rights or choices unduly difficult, including by offering choices to the end-user in a non-neutral manner, or by subverting end users’ or business users' autonomy, decision-making, or free choice via the structure, design, function or manner of operation of a user interface or a part thereof.
Digital Markets Act - Article 13(6)

This article is to prevent gatekeepers from circumventing obligations by degrading the core platform service. It seems likely that this applied to Apple’s attempt to remove Web App installation in the EU as a method to avoid sharing it with third party browsers using their own engines, thus circumventing their obligations under Article 5(7). Apple essentially admitted this was the purpose of removing the functionality in their initial statement where they stated:

Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
Apple's statement on breaking Web Apps in the EU
(emphasis added)

Article 30(1)

Article 30(1) In the non-compliance decision, the Commission may impose on a gatekeeper fines not exceeding 10 % of its total worldwide turnover in the preceding financial year where it finds that the gatekeeper, intentionally or negligently, fails to comply with:
(a) any of the obligations laid down in Articles 5, 6 and 7;
(b) measures specified by the Commission in a decision adopted pursuant to Article 8(2);
(c) remedies imposed pursuant to Article 18(1);
(d) interim measures ordered pursuant to Article 24; or
(e) commitments made legally binding pursuant to Article 25.
Digital Markets Act - Article 30(1)

This article outlines the fines the commission can impose on gatekeepers that violate any part of Article 5, 6 or 7. In this case the maximum individual fine is 10% of global revenue.

Article 30(2)

Article 30(2). Notwithstanding paragraph 1 of this Article, in the non-compliance decision the Commission may impose on a gatekeeper fines up to 20 % of its total worldwide turnover in the preceding financial year where it finds that a gatekeeper has committed the same or a similar infringement of an obligation laid down in Article 5, 6 or 7 in relation to the same core platform service as it was found to have committed in a non-compliance decision adopted in the 8 preceding years.
Digital Markets Act - Article 30(2)

This article states that if the gatekeeper commits the same violation twice the commission can fine them up to 20% of global revenue in a single fine.

What changes is OWA pushing for?

OWA is a global organisation and in order for both browser and web app competition to be both fair and effective these changes need to happen in as many jurisdictions as possible, and push for global uniformity.

That said, securing these changes in the EU will be a massive win for two reasons. First EU consumers and businesses can experience the benefits of increased competition and interoperability. Second, every major regulator on the planet is looking carefully at the DMA and planning their own regimes. Any success in the EU will provide these regulators with a mountain of evidence and a blueprint to force these gatekeepers to behave.

Some important aims that could be achieved under the DMA are:

  1. Allow other browsers to compete fairly and effectively on iOS with their own engine
    Currently Apple’s browser engine entitlement contract (a contract specifically for allowing API access) is riddled with outrageously unfair terms and given that Apple is only allowed to have strictly necessary, proportional and heavily justified security clauses in the contract it will need to be rewritten in order to be compliant with the DMA.

  2. Force both Apple and Google to let other browsers install web apps powered by their own engine
    Currently Apple does not let browsers install web apps on iOS powered by the browsers own engine at all. Google does not let other browsers install web apps properly to achieve full system integration via WebAPK minting which is locked to Chrome. Both companies must open this up to third party browsers to be compliant with the DMA.

  3. Ensure users choice of default browser is respected
    In many cases on both iOS and Android the user’s choice of default browser is completely ignored. The default browser should be opened or invoked when the user clicks on a link in a non-browser app. Instead in many cases it is silently hijacked and replaced by a completely different in-app browser. Neither the operating system or the non-browser apps on it should engage in browser-jacking.

  4. Stop Apple from preventing browsers being listed on third party app stores on iOS
    As discussed earlier, Apple’s Core Technology Fee for API access is clearly designed to prevent developers from listing their apps on third party apps stores on iOS. Given that API access is mandated to be “free of charge” under the act, Apple will need to update this in order to be in compliance with the DMA.

    Further having a separate alternative contract with which developers can opt into their rights under the DMA at different fee structures is both bizarre and ridiculous.

  5. Stop companies self preferencing their own browser by their core platform services
    Apple, Google and Microsoft have all engaged in behaviours and dark patterns to self preference their browsers by their various designated core platform services. These behaviours are now prohibited in the EU by the DMA.

  6. Safari needs to allow fair competition of competing payment providers
    Currently Safari only supports Apple Pay, as a core platform service Apple is obligated to update it so that the user can choose alternative payment providers.

  7. Reduce the power of default browser with a choice screen
    Ensure that both Apple and Google implement effective designs for their browser choice screens. Specifically the choice screen should not self preference their own browsers, should grant the chosen browser the “hotseat” and should appear on all existing devices once and all new devices (including after backup and restore).

  8. Ensure that backups and restore works for Web Apps
    Currently on both iOS and Android Web Apps are not included in device backups. This puts Web Apps at a disadvantage to Native Apps and needs to be fixed by both Apple and Google.

To be clear these obligations needed to have been already met by today, the fact they aren't means that they are already in breach of the DMA. From OWA’s perspective we will lodge complaints about gatekeepers who have not met their obligations unless they are making timely good faith efforts to push as quickly as possible towards compliance.

Why is this important?

If fair and effective competition for both browsers and Web Apps was allowed, 90% of the apps on your phone could be written as a Web App and would be indistinguishable, significantly cheaper and often better than native apps. Native Apps will still have a lead in cutting edge graphics and gaming technology but here’s the thing, if companies see the Web platform as viable, they’ll invest in it and this gap will get narrower and narrower.

Over the next ten years the Web will provide more and more for consumers. Simply put, what the Web “can't do” is shrinking while its advantages are only increasing.

But for certain clear anti-competitive behaviour, mobile Web Apps would already be viable and thriving. Absent laws to prevent them from doing so, large gatekeepers are incentivized to block products they can’t excessively tax OR that compete with their own products.

The Web can do so much more on mobile, we just have to let it.

How can you help?

OWA has so much more work to do advocating for the web all over the globe. We will always need your support, and you can do that in many ways: