The gatekeeper platforms regulated by the European Union’s Digital Markets Act (DMA) must comply with the law as of 6 March 2024. The DMA requires that core platform services create and make available interfaces that allow business users to access end users via the platform at lower cost and on better terms.
For example, app developers will have the right to distribute on handsets through different app stores, using different payment services, directing users to purchase content on the web and charging different prices in different channels. The gatekeeper must provide the application programming interfaces, or APIs, to enable business users to take advantage of these rights.
However, the DMA does not define exactly what those APIs should be. Rather, the law requires a gatekeeper’s interface to be ‘effective’, meaning business users can use it to enter, compete and innovate. Because such a design is not, in general, in the interest of the gatekeeper, the input of business users to both gatekeepers and the European Commission is critical for evaluating compliance with the law.
Thus far there is little evidence of platforms interacting with business users or putting out interfaces for evaluation by business users, or of business users offering comments on what interfaces would be best for entry and competition.
It may be that the interface must come first, and then its existence will stimulate entry of new business users or investment into new services that will use the interface. Rather like the chicken and the egg, which should come first? Business users are needed to help create useful interfaces, while useful interfaces are needed to justify investment and entry by business users.
The European Union’s Digital Markets Act (Regulation (EU) 2022/1925) facilitates access for business users to the core platform services of large digital gatekeepers so that those business users can innovate and grow. However, successful enforcement of the law requires those business users to engage in the regulatory process to help define the interfaces they will use to access the platform.
Under the law, the regulated platforms must develop the relevant technical specifications of the interface and share them with business users. An interface could be the APIs that, for example, allow a rival app store to function on a handset’s operating system, a rival payment system to offer services to apps or a business user to obtain valuable data.
This engagement by the business user is needed because the DMA requires that the interface be ‘effective’ in order to be compliant with the law – in other words, the business user can run its business using the new interface. Without engagement from business users, it is difficult for the European Commission to evaluate effectiveness.
If gatekeepers, which are the large, unavoidable platforms regulated by the DMA, design interfaces without such interaction, they may not be useful to existing and future business users. Flawed interfaces are less likely to increase contestability and fairness, which are the goals of the DMA. Effective interfaces are also necessary to maximise business-user innovation that benefits consumers.
The adoption of interfaces without sufficient input from business users seems at time of writing to be a substantial risk, given the limited progress to date and the rapidly approaching compliance deadline of 6 March 2024. Europe is home to app developers, merchants, video channels, news, banks, digital advertising services and other complements to the gatekeeper platforms.
If these businesses wish to be protected from the market power of digital gatekeepers and, indeed, obtain new opportunities to grow and innovate, they have a responsibility to engage. By the same token, the European Commission will need to deliver for these business users by requiring gatekeepers to be responsive to the legitimate problems they raise.
The Commission will also need to protect business users who rationally expect retaliation (perhaps globally) from gatekeepers. Retaliation or lack of competence on the part of the Commission would severely limit the interest of business users in engaging in the process and would risk undermining the effectiveness of the DMA.
Moreover, if few business users step forward with innovative plans, it will feed the narrative that Europe cannot innovate, not just in gatekeeper platforms, but in complements as well.
The Digital Markets Act regulates business-user access to 22 core platform services provided by gatekeepers, so that those business users are able to connect with end users, are not burdened with costs and restrictions imposed by the gatekeeper and can innovate in ways the gatekeeper may not prefer.
In order to be sure each core platform service’s interface enables business users to achieve those outcomes, it is particularly useful if they engage in the regulatory process to help define the interface. If an interface is not effective at achieving contestability and fairness, then the gatekeeper concerned is not in compliance with the law.
The interfaces defined by the DMA are not open to business users as a right today. Beginning on 6 March 2024, gatekeepers must make these interfaces available to business users. But because the interfaces are currently not available to business users, existing business users have not yet built products that will be accessible through the interfaces, and of course new business users have not yet entered and begun operation. This dynamic causes the following chicken-and-egg situation:
– An existing, functional interface enables the arrival of a business user.
– An existing business user must engage with the regulator to enable the arrival of a functional interface.
The second part of the conundrum occurs because the DMA provides no list of technical specifications or code that platforms must use to design their interfaces. The law uses regular English-language words to describe the rights the business user has and what the business user should be able to accomplish with those rights.
Compliance is therefore defined not in a technical sense but in outcomes: can a business user effectively employ the interface to achieve the goal described in the rule? Compliance means the business user can enter and be functional. In addition, interfaces must not discriminate or be biased between business users, or between business users and the gatekeeper’s own businesses.
Second, compliance is defined using the idea of effectiveness, meaning that an interface design that does not offer a full working solution to access the CPS is not compliant.
However, such a practical definition creates a challenge for the bureaucrats enforcing the law. The regulator cannot determine if the interface complies by examining its code or technical features used.
Nor can government lawyers know and appreciate the needs of entering business users, and whether the gatekeeper’s proposed interface is designed to enable business users, is deficient in major respects, or subtly undermines rivals’ competitive advantage.
There are two common alternative routes to regulating interfaces not chosen in the DMA. One approach is to specify in detail the technology to be used. Telecoms regulators have taken this path in many cases over past decades, from phone jacks to the allocation of spectrum bands to standards for mobile telephony (Contreras, 2019).
However, a difficulty with specifying technological solutions in the context of modern digital platforms is that it creates a heavy burden on the regulator. The regulator must become an expert in the technology of a particular core platform service, affirmatively describe the solutions it wants the gatekeeper to use and update them as technology changes. And that work must be carried out for each core platform service.
The Commission would likely face difficulties in hiring enough qualified engineers to design so many interfaces, to say nothing of keeping solutions current as technology changes. Gatekeepers and business users would likely disagree regularly with the Commission’s technical choices, and this would lead to argument and litigation.
Providing the technical solutions in this way is simply not practical in light of the huge asymmetry of information and skills between gatekeeper platforms and Commission staff.
A second approach used for many technological interfaces is to rely on the work of a standard setting organisation (SSO). The SSO is comprised of a large group of stakeholders who decide by consensus on a common standard for the industry to adopt (eg. electricity, 5G, Wi-Fi).
Often there are many types of stakeholders in the SSO who have differing goals and incentives. For example, the standards adopted for mobile telecoms will affect handset makers, chip makers, equipment makers and carriers, among others.
In addition, many of these parties have market power in their industries and/or proprietary technology they want the standard to include so they can earn licensing revenue. Any interested company can participate in an SSO as long as it abides by the organisation’s rules.
It can be difficult and slow for all these different parties with their different interests to agree on a common standard – and this can be inefficient when technology moves quickly.
Furthermore, the choices of technologies included in the standard can be distorted by the economic power of certain members and the coalitions and compromises adopted in order to get agreement. For these reasons and others, the SSO approach to interface design is far from perfect (Bekkers et al 2023; Simcoe, 2012; Farrell and Simcoe, 2012).
If the business must seek permission from the gatekeeper to enter, and this requires the entrant to share technical information, its business could be copied by the gatekeeper or discriminated against. In this case the business user would have invested without gaining anything, and indeed would be harmed by participating
However, it is an open, workable mechanism that allows industries to adopt technologies that require substantial coordination to deliver consumer benefits.
But importantly, the settings in which SSOs are used differ greatly from those addressed by the DMA. A designated gatekeeper under the DMA is a long-established monopoly or duopoly platform that business users need to access in order to reach end consumers. The gatekeeper alone has made technical choices and developed its interface over time. The gatekeeper’s own capabilities, complementary assets and strategy have affected those choices.
The interface is not a future technology for which no technical standards have yet emerged. A traditional SSO would be a committee of third parties, including some business users, tasked with designing the gatekeeper’s interface. For this reason, the SSO approach to achieving contestability and fairness is probably not the least-burdensome regulatory technique from the perspective of the gatekeeper.
On the other hand, the business users who wish to connect to the interface are a heterogeneous group with different business and technical strategies, despite their common goal of creating an effective interface. This group might benefit from a structure similar to an SSO to help them coordinate and interact with both the gatekeeper and the Commission.
The advantages of the DMA include its recognition that the gatekeeper has the most knowledge of its own technology and the clearest view of its future plans for the development of that technology in light of current trends and is therefore best positioned to develop APIs that function well.
The law requires the gatekeeper to deploy an interface that business users can use to enter, compete and innovate. The DMA further regulates how the gatekeeper can use its interface to affect competition on the platform.
For example, the rules prohibit bias in ranking and indexing. The gatekeeper is likely to find this approach less intrusive than the technical-specification or SSO options because the gatekeeper retains control over its own technology and can make efficient choices, while adhering to the requirement that the resulting interface be functional for the business user.
However, this discussion makes it clear why the regulator needs engagement from these business users in order to know what to look for in the interface, what questions to ask of the gatekeeper and the importance to place on different elements of compliance.
In addition, there is the problem of the valuable and innovative business users who are at an early stage of development and are therefore difficult to help. Of course, many business models will be straightforward and predictable.
It is very likely, for example, that gaming and dating apps want to use rival payment services, and banks want to enter with their own digital wallets. However, successful DMA enforcement will stimulate creative new ideas from business users that may not be obvious currently.
The business user’s role, therefore, is to engage with the gatekeeper, provide feedback to the gatekeeper, inform the Commission about problems or trade-offs in the gatekeeper’s proposed solution and provide technical information to Commission staff, who must have compliance conversations with the gatekeeper.
Without the regulator and the business user community functioning together, the resulting interface is likely to be flawed, and possibly not very useful for entrants.
It is this last step that seems to be a shortcoming in the design of the DMA. There is no instruction in the law that lays out how a gatekeeper must communicate to current or potential business users, nor is there any timetable of when these communications must occur1.
Waiting for business users to appear has the drawbacks described above. And because asymmetry of information is severe between gatekeepers and business users, any unsupervised negotiation between them may not result in outcomes that are sufficiently contestable and fair.
The concern that this negative feedback loop will cause risk and delay is first order. Gatekeepers have no financial incentive to provide the kind of interface for business users that would facilitate entry and competition – which would lower their profits.
Therefore, only robust oversight by the Commission, in combination with information from potential entrants, is likely to establish the right conditions for timely entry. To launch on 7 March 2024, a business must have already worked out its strategy, developed a revenue model, designed its code based on technical information from the gatekeeper, and so forth.
Suppose, for example, that a rival app store wishes to launch on iOS and Google Android, both of which are regulated core platform services. For the entering store to develop its software for review by the CPS, it must be told the technical specifications of the interface the CPS will be adopting.
The CPS may also want to undertake a security review of the entering app store and closely examine its code and technology. But for that to happen, the code must be written. Supposing the entrant has its technology created and is ready to enter. Can it offer its product for use by consumers and expect the store to function, or will the CPS require a review of the rival’s corporate governance, insurance policies, data storage practices and the like?
If the CPS wants to carry out such a review to protect consumers, this will take time, and an entrant that is otherwise ready will want to start the process before March 2024.
Other issues of interest to the business user will likely include features and functionality of the interface, such as what authorisation is needed for the store to be sideloaded. If the CPS does not want to develop safe sideloading, will the CPS carry the rival store within the legacy app store or in some other channel?
Legacy stores engage in automatic updates and allow a user to keep track of subscriptions; the APIs for these features must be made available and equivalent for entering app stores so that their service is comparable.
The gatekeeper could make any of the parameters above unworkable, slow, expensive or biased – which would constitute noncompliance with the DMA. But if the regulator does not understand the existence or extent of the noncompliance, it cannot effectively take action against it.
The entering business user may need to seek funding from banks or venture capitalists if it is not part of a large corporation with enough free cash flow to fund its entry costs. The providers of capital will engage in due diligence and evaluate the risk of the project. There are the usual risks inherent to new businesses, such as the competence of management and demand for the service.
But venture capitalists will also consider the risk of a new business losing access to its end consumers – because the business must access those consumers through the gatekeeper’s interface. On top of standard business risk, the entering business will need to manage the risk that the interface will be biased, will fail to include some technology or even will not exist.
Good enforcement would reduce or eliminate those risks. VCs will therefore evaluate the DMA, its legal strength and the competence of the enforcing authorities2. If sources of capital are deterred by regulatory risk, then entrants who should be helping the Commission ensure a working interface may simply fail to exist (Krueger et al 2020; Hail and Leuz, 2006).
Of course, the Commission could simply wait until after the deadline to see if what the gatekeepers themselves create results in successful entry. If at that time no entrants appear, the Commission could then engage with business users to find out why they have not entered.
A conceptual problem with this approach is that some of the missing business users will be entrepreneurs who will not exist until the interface creates conditions conducive for investment.
Second, if the gatekeepers have complied according to their own definitions and that compliance is simply not useful to potential entrants, the DMA and the Commission will look ineffective or incompetent.
At that point the steps needed to implement a useful interface will likely take another year, given the time needed for a regulator to evaluate existing compliance, interact with technical and business experts, communicate with the gatekeepers and then wait for the engineering cycle to repeat.
Third, a delay of this type, in addition to failing to change fairness and contestability, weakens trust in the law. This, in turn, impacts business users’ incentives to invest, as noted above. Uncertainty about whether the regulator can deliver on usable interfaces lessens the ability of new entrants to raise capital and innovate.
The DMA requires each gatekeeper to report, six months after designation as a gatekeeper and annually thereafter, on “the measures it has implemented to ensure compliance with the obligations laid down” in the DMA (Art 11(1) DMA)3.
Among many other things, gatekeepers must use the template established by the Commission to report on business-user entry in each of their core platform services. For example, the template instructs gatekeepers to report:
(2.1.2(r)) “…depending on the circumstances, data on the evolution of the number of active end users and active business users for the relevant core platform service and, for each relevant obligation, the interaction of end users with choice screens and consent forms, the amount of in-app purchases, the number of pre-installed defaults as well as yearly revenues from payments related to those pre-installed defaults, counts of end users who switch, counts of business users who obtain data access, etc.”
(2.2) “A list of the Undertaking’s core platform service’s top fifteen (15) business users per core platform service based on revenues established in the EEA for the last year…”
Gatekeepers may be concerned that if there is no entry in a CPS, this fact will be used to demonstrate noncompliance. However, such a strong conclusion might not be warranted because entry requires action from two parties, both the gatekeeper and the entrant.
Therefore, lack of entry is, alone, not proof of gatekeeper noncompliance. Rather, it is useful evidence because it creates a one-way flag. If entry has occurred, then clearly the interface works at least at some basic level. By contrast, if there is no entry, this is a concern that requires the regulator to follow up and find out why business users are absent.
The first possibility is that there is no interest in entry on the part of business users because the opportunity is not profitable. However, if the European institutions responsible for the DMA engaged in appropriate research to design the law, and successfully responded to concerns of business users, then it seems unlikely the DMA would identify core platform services where access is not, in fact, demanded by business users.
A second possible explanation for a lack of entry is that the business users are interested but are waiting until the uncertainty around enforcement of the DMA is resolved before investing. Business users may not want the risk of spending money on a project that depends on a new law with a new method of enforcement. They may be concerned the interface they need won’t work well enough to support a viable business.
Enforcement might deliver a basic interface and the rules for using it in March 2024, but this will only serve as a start to negotiations between business users and gatekeepers. Innovative entry will have to wait until the next engineering cycle, after these negotiations have taken place.
Worse, business users may not trust that the Commission will be able to execute this law at all. The required interface may not materialise. The Commission could be outlawyered or outmanoeuvred by the gatekeepers so that – despite the provisions in the law that try to protect against this outcome – both the Commission fails to enforce, and courts do not mandate the required interfaces. Business users fearing this outcome will be reluctant to invest until they see proof of working interfaces.
Possibly business users will not have entered because they are afraid of developing a business that will compete with the gatekeeper or are afraid of engaging with the Commission to critique the gatekeepers, because they expect retaliation from gatekeepers.
For example, the Commission might share the concerns, meetings or filings of such business users with the relevant gatekeeper. This might be necessary to explain the needed improvements or demonstrate demand for them, or it might be considered necessary as part of the rights of the gatekeeper, which could face a noncompliance proceeding if it fails to respond. However, in either case, sharing the information may expose the business user to retaliation.
That retaliation may be subtle or difficult to measure. Its cause may be impossible to assign with certainty and may occur outside the European Union. The possible insufficiency of existing protections for complainants is a serious concern.
Relatedly, if the business must seek permission from the gatekeeper to enter, and this requires the entrant to share technical information, its business could be copied by the gatekeeper or discriminated against. In this case the business user would have invested without gaining anything, and indeed would be harmed by participating.
A group that deserves analysis is existing gatekeepers who may be considering entering against other gatekeepers. Many gatekeepers have smaller businesses that compete with a designated CPS, or they have the assets needed to build a rival and enter. The DMA will lower the costs of entry or growth for these rivals as well.
However, gatekeepers may assess the potential for entry and decide that they are better o? with mutual forbearance. For example, suppose gatekeeper X has core platform service A designated under the DMA, while gatekeeper Y has core platform service B.
If gatekeeper X aggressively enters or expands a business to compete with B, it may trigger a response from gatekeeper Y in core platform service A, where it may choose to enter or make increased investments. The resulting intensified competition in both CPS A and B could lower overall profits for both gatekeepers.
This, of course, is exactly what the DMA is supposed to do. There are many possible entrants of this type: Meta in e-commerce and app stores; Amazon in app stores and handset design; Microsoft in search and app stores; Google in e-commerce; Apple in search and digital advertising.
These potential entrants or smaller rivals may not wish to raise the competitive intensity of their interactions with other gatekeepers, but rather continue to ‘stay in their lanes.’
There is not much time to improve enforcement before the deadline. The DMA may simply have been designed in a way that requires several years of iteration before consumers can expect to see the effective opening-up of gatekeeper platforms and increased innovation.
However, the Commission should do whatever it can under current law to protect business users who engage in the regulatory process. For example, the Commission might avoid reporting to the gatekeeper concerned complaints from named business users, but might find alternative methods to provide legal security to both sides.
The Commission should also make clear the extent of business user protections so that business users are not harmed by choosing to engage, as such experiences will reduce engagement from other business users.
If legal obligations need to be tightened up in order to effectively protect business users under the DMA, the Commission should not hesitate to do so using the power to adopt delegated acts that it is granted under Arts. 12 and 49 DMA.
The DMA prohibits retaliation by gatekeepers against business users under Article 5(6) (and further explained in Recital 102). It would be helpful for the Commission to explain how it plans to enforce in this area, perhaps clarifying how the regulation applies depending on the geographic location of the retaliation.
An interesting topic to spell out is how, if retaliation constitutes noncompliance with the DMA, a gatekeeper engaging in it would add to its count of violations and contribute to a finding of systematic noncompliance. Under Article 18, this can result in structural remedies, such as divestiture, being applied to the gatekeeper.
Other solutions to the chicken-and-egg problem might include requirements around timeliness of gatekeeper responses to requests for interoperability specifications and subsequent access. If needed, these requirements could lay out step-by-step procedures on engagement between gatekeepers and business users.
Additionally, the Commission could require gatekeepers to set out publicly any security review process required for business users, its costs and timeline. Gatekeepers should also post information of interest to potential entrants, such as how features like ‘auto-updating’ will be handled.
Speeches by Commission officials and national competition authorities explaining the role of business users and the protections afforded them, might assist in reducing information asymmetry with business users in relation to how all these processes will work.
In particular, national competition authorities are naturally better connected to their local business communities and could engage in outreach to existing business users and entrepreneurs in their member states.
Lastly, industry associations might be able to help potential business users join together to express concerns and develop technical suggestions for the gatekeeper that are broader and more robust than any of them could make alone.
Such organisations might be more effective in conveying the concerns of their members to the Commission, while enabling anonymity and creating economies of scale for smaller business users.
1. For example, the UK Competition and Markets Authority provides a process description in some instances; see CMA (2022), page 40.
2. For a practitioner perspective, see Dannemiller et al (2017).
3. See ‘Template form for reporting pursuant to Article 11 of Regulation (EU) 2022/1925’, European Commission, 9 October 2023.
Bekkers, R, C Catalini, A Martinelli, C Righi and T Simcoe (2023) ‘Disclosure rules and declared essential patents’, Research Policy 52(1), 104618.
CMA (2022) Mergers: Guidance on the CMA’s jurisdiction and procedure, Competition and Markets Authority.
Contreras, J (2019) ‘Engineering Rules – A Major Contribution to the Early History of International Standardization’, Yale Journal on Regulation, Notice & Comment, 4 October.
Dannemiller, D, JL DeWitt and A Gajjaria (2017) Building regulatory-ready organizations: Managing regulatory and compliance risk at investment management firms, Deloitte Center for Financial Services, Deloitte University Press.
Farrell, J and T Simcoe (2012) ‘Choosing the Rules for Consensus Standardization’, The RAND Journal of Economics 43(2): 235–252.
Hail, L and C Leuz (2006) ‘International Differences in the Cost of Equity Capital: Do Legal Institutions and Securities Regulation Matter?’ Journal of Accounting Research 44(3): 485-531.
Krueger, P, Z Sautner and LT Starks (2020) ‘The Importance of Climate Risks for Institutional Investors’, The Review of Financial Studies 33(3):1067–1111.
Simcoe, T (2012) ‘Standard Setting Committees: Consensus Governance for Shared Technology Platforms’, The American Economic Review 102(1): 305–36.
This article is based on Bruegel Working Paper 02/2024.