Government & Policy

DSA vs. DMA: How Europe’s twin digital regulations are hitting Big Tech

Comment

Smashing brick work with hammer
Image Credits: Colin Hawkins (opens in a new window) / Getty Images

It’s no accident that the European Union’s Digital Services Act and Digital Markets Act have such similar-sounding names: They were conceived together and, at the end of 2020, proposed in unison as a twin package of digital policy reforms. EU lawmakers had overwhelmingly approved them by mid-2022, and both regimes were fully up and running by early 2024. While each law aims to achieve distinct things, via its own set of differently applied rules, they are best understood as a joint response to Big Tech’s market power.

Key concerns driving lawmakers include a belief that major digital platforms have ignored consumer welfare in their rush to scale fatter profits online. The EU also sees dysfunctional digital markets as undermining the bloc’s competitiveness, thanks to phenomena like network effects and the power of big data to cement a winner-takes-all dynamic.

The argument is that this is both bad for competition and bad news for consumers who are vulnerable to exploitation when markets tip.

Broadly speaking, the DSA is concerned about rising risks for consumer welfare in an era of growing uptake of digital services. That could be from online distribution of illegal goods (fakes, dangerous stuff) on marketplaces or illegal content (CSAM, terrorism, etc.) on social media. But there are thornier issues, for example, with online disinformation: There may be civic risks (such as election interference), but how such content is handled (whether it’s taken down; made less visible; labeled, etc.) could have implications for fundamental rights like freedom of expression.

The bloc decided it needed an updated digital framework to tackle all these risks to ensure “a fair and open online platform environment” to underpin the next decades of online growth.

Their goal with the DSA is absolutely a balancing act, though: The bloc is aiming to drive up content moderation standards in a quasi-hands-off way: by regulating the processes and procedures involved in content-related decisions, rather than defining what can and can’t be put online. The aim is to harmonize and raise standards around governance decision-making processes, including by ensuring comms channels exist with relevant external experts in order to make platforms more responsible in moderating content.

There’s a further twist: While the DSA’s general rules apply to all sorts of digital apps and services, the strictest requirements — concerning algorithmic risk assessment and risk mitigation — only apply to a subset of the largest platforms. So the law has been designed to have the greatest impact on popular platforms, reflecting higher risks of harm flowing from stronger market power.

But when it comes to impact on Big Tech, the DMA is the real biggie: The mission of the DSA’s sister regulation is to drive market contestability itself. The EU wants this regulation to rebalance power at the very top of the tech industry pyramid. That’s why this regime is so highly targeted, applying to just over a handful of power players.

Laws with teeth big enough to bite Big Tech?

Another important thing to note is that both laws have sizable teeth. The EU has long had a range of rules that apply to online businesses but no other dedicated digital regulations are this flashy. The DSA contains penalties of up to 6% of global annual turnover for any infringements; the DMA allows for fines of up to 10% (or even 20% for repeat offenses). In some cases, that could mean billions of dollars in fines.

There’s a growing list of platform giants subject to the DSA’s strictest level of oversight, including major marketplaces like Amazon, Shein and Temu; dominant mobile app stores operated by Apple and Google; social networks giants, including Facebook, Instagram, LinkedIn, TikTok and X (Twitter); and, more recently, a handful of adult content sites that have also been designated as very large online platforms (VLOPs) after crossing the DSA usage threshold of 45 million or more monthly active users in the EU.

The European Commission directly oversees compliance with DSA rules for VLOPs, centralizing the rulebook’s enforcement on Big Tech inside the EU (versus enforcement of the DSA’s general rules being decentralized to member state-level authorities). This structure underlines that the bloc’s lawmakers are keen to avoid forum-shopping undermining its ability to enforce these rules on Big Tech as has happened with other major digital rulebooks (such as the GDPR).

The Commission’s early priorities for DSA enforcement fall into a few broad areas: illegal content risks; election security; child protection; and marketplace safety, though its investigations opened to date cover a wider range of issues.

Around 20 companies are in scope of the EU’s enforcement in relation to around two dozen platforms’ compliance with DSA rules for VLOPs. The Commission maintains a list of designated VLOPs and any actions it’s taken on each.

The DMA is also enforced centrally by the Commission. But this regime applies to far fewer tech giants: Just six companies were originally designated as “gatekeepers.” Back in May, European travel giant Booking was named the seventh.

The gatekeeper designation kicks in for tech giants with at least 45 million monthly EU end users and 10,000 annual business users. And, in a similar fashion as the DSA, the DMA applies rules to specific types of platforms (a similar number of platforms are in scope of each law, though the respective lists are not identical). The EU has some discretion on whether to designate particular platforms (e.g., Apple’s iMessage being let off the hook; same with Microsoft advertising and Edge browser. On the flip side, Apple’s iPadOS was added to the list of core platform services in April).

Regulated categories for the DMA cover strategic infrastructure where Big Tech platforms may be mediating other businesses’ access to consumers, including operating systems; messaging platforms; ad services; social networks; and various other types of intermediation.

The structure means there can be overlap of application between the DSA and the DMA. For example, Google Search is both a DSA VLOP (technically it’s a very large online search engine, or VLOSE, to use the correct acronym. But the EU also deploys VLOPSE to refer to both) and a DMA core platform service. The respective mobile apps stores of Apple and Google are also VLOPs and CPS. Such platforms face a double whammy of compliance requirements, though the EU would say this reflects its strategic importance to digital markets.

Shooting for a digital market reboot

Problems the EU wants the regulations to address by reshaping behavior in digital markets include reduced consumer choice (i.e., fewer and less innovative services), and higher costs (free services may still have expensive access costs, such as forcing a lack of privacy on users).

Online business models that do not pay proper attention to consumer welfare, such as ad-funded Big Tech platforms that seek to drive engagement through outrage/polarization, are another target. And making platform power more responsible and accountable is a unifying thread running through both regimes.

The EU thinks this is necessary to drive trust in online services and power future growth. Without fair and open competition online, the EU’s thesis is that not even startups can ride to the rescue of digital markets. It’s harder for startups to reach as many consumers as the dominant players, which means there’s a low chance that innovation alone will prevent/correct negative effects. Hence the bloc’s decision to lean into regulation.

The DSA and DMA take a different approach to Big Tech

So while the DSA aims to leverage the power of transparency to drive accountability on major platforms — such as by making it obligatory for VLOPs to publish an ad archive and provide data access to independent researchers so they can study the societal impacts of their algorithmic content-sorting — the DMA tries to have a more upfront effect by laying down rules on how gatekeepers can operate strategic services that are prone to becoming choke points under a winner-takes-all playbook.

The EU likes to refer to these rules as the DMA’s list of “dos and don’ts,” which boil down to a pretty specific set of operational requirements based on stuff the bloc’s enforcers have seen before, via earlier antitrust enforcements, such as the EU’s multiple cases against Google over the past two decades.

It hopes these commandments will nip any repeat bad behaviors — such as unfair self-preferencing — in the bud. One big “don’t” is that gatekeepers aren’t allowed to promote their own services over rivals’. While, on the “dos” side — aiming for a roughly similar levelling impact — an important element of the regulation aims to force CPS to open up to third parties to try to stop gatekeepers using control of their dominant platforms to close down competition.

Changes announced by Apple earlier this year to iOS in the EU, to allow sideloading of apps through web distribution and third-party app stores, are a couple of examples of the DMA forcing more openness than was on offer through Big Tech’s standard playbook.

Another key DMA interoperability mandate applies to messaging platforms. This “do” will require Meta — so far the only designated gatekeeper to have messaging CPS, like WhatsApp and Messenger — to build infrastructure that will allow smaller platforms to offer ways for people to communicate with people using, say, WhatApp without the person needing to sign up for a WhatsApp account.

This requirement is in force but has yet to translate into new opportunities for messaging app consumers and competitors, given that the DMA allows for implementation periods for undertaking the necessary technical work. The EU has also allowed Meta more time to build the technical connectors. But policymakers are hoping that over time, the interoperability mandate for messaging will lead to a leveling of the playing field in this area because it would be empowering consumers to choose services based on innovation, rather than market forces.

The same competitive leveling goal applies across all CPS types the DMA regulates. The bloc’s big hope is that a set of operational commandments applied to the most powerful forces in tech will trigger a wide-ranging market reset that rekindles service innovation and supports consumer welfare. But the success or otherwise of that competitive reset mission remains to seen.

The regulation only started applying on gatekeepers in February 2024 (versus late August 2023 for the DSA rules on VLOPSEs). The real-world effects of the flagship digital market reform will be playing out for months and years yet.

That said, if anyone thought the DMA’s fixed “dos and don’ts” would be self-executing as soon as the law began to apply, then the Commission’s swift announcement (in March 2024) of a clutch of investigations for suspected noncompliance should have destroyed that. On certain issues, some gatekeepers are clearly digging in and preparing to fight.

List of DMA investigations opened to date

Apple: Since March, the EU has been looking into the compliance of Apple’s rules on steering developers in the App Store; the design of choice screens for alternatives to its Safari web browser; and whether its core technology fee (CTF) — a new charge introduced with the set of business terms that implement DMA entitlements — meets the bloc’s rules. The law doesn’t include a specific ban on gatekeepers charging fees, but they must abide by FRAND (fair, reasonable and nondiscriminatory) terms.

In June 2024, the Commission announced preliminary findings on the first two Apple probes and confirmed the formal CTF investigation. Its draft findings at that point included that Apple is breaching the DMA by not letting developers freely inform their users of alternative purchase opportunities. All these probes remain ongoing.

Alphabet/Google: The EU has also been investigating Alphabet’s rules on steering in Google Play, as well as self-preferencing in search results since March.

Meta: Meta’s “pay or consent” model also went under DMA investigation in March. Since November 2023, the tech giant has forced EU users of Facebook and Instagram to agree to being tracked and profiled for ad targeting in order to get free access to its social networks; otherwise, they would have to pay a monthly subscription to use the services. On July 1, the EU issued a preliminary finding that this binary choice Meta imposes breaches the DMA. The investigation is ongoing.

DSA: EU investigations on VLOPSE

On the DSA side, the Commission has been slower to open formal investigations, although it does now have multiple probes open.

By far its most used enforcement action is a power to ask platforms for more information about how they’re operating regulated services (known as a request for information, or RFI). This underpins the EU’s ability to monitor and assess compliance and build cases where it identifies grievances, explaining why the tool has been used repeatedly over the past 11 months since the compliance deadline for VLOPSEs.

X (Twitter): The first DSA investigation the EU opened was on X, back in December 2023. The formal proceeding concerned a raft of issues including suspected breaches of rules related to risk management; content moderation; dark patterns; advertising transparency; and data access for researchers. In July 2024 the Commission issued its first DSA preliminary findings, which concern aspects of its investigation of X.

One of the preliminary findings is that the design of the blue check on X is an illegal dark pattern under the DSA. A second preliminary finding is that X’s ad repository does not comply with the regulatory standard. A third preliminary finding is that X has failed to provide the requisite data access for researchers. X was given a chance to respond.

Other areas the EU continues investigating X for relate to the spread of illegal content; its handling of disinformation; and its Community Notes content moderation feature. So far it has yet to reach a preliminary view.

TikTok: In February 2024 the EU announced a DSA probe of video social network TikTok it said is focused on protection of minors; advertising transparency; data access for researchers; and the risk management of addictive design and harmful content. In April 2024 the bloc also opened a probe of a rewards feature in TikTok Lite over concerns it encouraged excessive screen time. A few days later TikTok suspended the feature after the bloc threatened to use interim powers to enforce a shutdown.

AliExpress: In March 2024 the Commission opened its first DSA probe of an ecommerce marketplace, targeting AliExpress over suspected failings of risk management and mitigation; content moderation; its internal complaint-handling mechanisms; the transparency of advertising and recommender systems; and the traceability of traders and to data access for researchers.

Meta: In April 2024 the EU took aim at Meta’s social networks Facebook and Instagram, opening a formal DSA investigation for suspected breaches related to election integrity rules. Specifically it said it’s concerned about the tech giant’s moderation of political ads. It’s also concerned about Meta’s policies for moderating non-paid political content, suggesting they are opaque and overly restrictive.

The EU also said it would look into policies related to enabling outsiders to monitor elections. A further grievance it’s probing relates to Meta’s processes for letting users flag illegal content. EU enforcers are concerned these are not easy enough.

Penalties and impacts

The EU concluded its first DSA investigation in August 2024 — closing an investigation of TikTok Lite after accepting binding commitments from the company. The settlement does not confirm a breach of the regulation so no penalties have been issued but TikTok agreed to permanently withdraw a rewards mechanism from the TikTok Lite app across the EU.

No other DSA (or DMA) investigations have been formally concluded by the Commission as yet. Nor have any penalties been issued. But that’s likely to change as more probes conclude in the coming months and years.

As with all EU regulations, it’s worth emphasizing that enforcement is a spectrum, not an event. Just the fact of oversight can apply pressure and lead to operational changes, ahead of any formal finding of noncompliance. Assessing impact based on headline penalties and sanctions alone would be a very crude way of trying to understand a regulation’s effect.

Notably, there have already been some big changes to how major platforms are operating in the EU — such as Apple being forced to allow sideloading or open up its Safari browser, or Google having to ask users to link data for ad targeting across CPS, to name a few early DMA-related developments.

But it’s also true that some major business model reforms have yet to happen.

Notably, Apple has so far stuck to its fee-based model for the App Store (by creating a new fee, the CTF, in a bid to work around the effect of being forced to open its App Store); and Meta has sought to cling to a privacy-hostile mode by forcing users to choose between being tracked or paying to use the historically free services, despite blowback from enforcers of multiple EU rules.

On the DSA side, the EU has been quick to trumpet a number of developments as early wins. Such as crediting the DSA with helping drive improvements in platforms’ responsiveness to election security concerns ahead of the EU elections (also following its publication of detailed guidance and pre-election stress-testing exercises); or highlighting LinkedIn’s decision to disable certain types of ads data linking following a DSA complaint.

Another example the EU pointed to early on to illustrate proactive DSA impact was TikTok pulling functionality from the TikTok Lite app in the region over addiction concerns.

That (initially voluntary) suspension was made permanent in August 2024 once the bloc accepted legally binding commitments from TikTok in exchange for closing its investigation of the rewards mechanism. But should TikTok breach its commitments not to bring back the controversial rewards mechanism it could still face DSA sanction.

As regards the DMA, some effects the Commission may be less keen to own are claims by Apple and Meta they’re delaying the launch of certain AI features in the EU as they’re unsure how the DMA applies. So the suggestion is heightened regulatory risk could have a knock-on effect on how much or how quickly cutting edge tech is made available to regional users.

August 5, 2024: This report was updated with details of the EU’s TikTok Lite case closure

More TechCrunch

Ola Electric, India’s largest electric two-wheeler maker, saw its shares rise as much as 20% on its public debut on Friday, making it the biggest listing among Indian firms in…

Ola Electric surges in India’s biggest listing in two years

Rocket Lab surpassed $100 million in quarterly revenue for the first time, a 71% increase from the same quarter of last year. This is just one of several shiny accomplishments…

Rocket Lab’s sunny outlook bodes well for future constellation plans 

In 1996, two companies, Patersons HR and Payroll Solutions, formed a venture called CloudPay to provide payroll and payments services to enterprise clients. CloudPay grew quietly over the next several…

CloudPay, a payroll services provider, lands $120M in new funding

The vulnerabilities allowed one security researcher to peek inside the leak sites without having to log in.

Security bugs in ransomware leak sites helped save six companies from paying hefty ransoms

Featured Article

A comprehensive list of 2024 tech layoffs

The tech layoff wave is still going strong in 2024. Following significant workforce reductions in 2022 and 2023, this year has already seen 60,000 job cuts across 254 companies, according to independent layoffs tracker Layoffs.fyi. Companies like Tesla, Amazon, Google, TikTok, Snap and Microsoft have conducted sizable layoffs in the…

A comprehensive list of 2024 tech layoffs

A new “beta rabbit” mode adds some conversational AI chops to the Rabbit r1, particularly in more complex or multi-step instructions.

Rabbit’s r1 refines chats and timers, but its app-using ‘action model’ is still MIA

Los Angeles is notorious for its back-to-back traffic. Three events that promise to bring in millions of spectators from around the world — the 2026 World Cup, the Super Bowl…

Archer to set up air taxi network in LA by 2026 ahead of World Cup

Featured Article

Amazon is fumbling in India

Amazon’s decision to overlook quick-commerce in India is now looking like a significant misstep.

Amazon is fumbling in India

OpenAI’s GPT-4o, the generative AI model that powers the recently launched alpha of Advanced Voice Mode in ChatGPT, is the company’s first trained on voice as well as text and…

OpenAI finds that GPT-4o does some truly bizarre stuff sometimes

On Thursday, Box filled in a missing piece on its AI platform when it bought automated metadata extracting startup, Alphamoon.

Box adds crucial piece to its AI platform with Alphamoon acquisition

OpenAI has announced a new appointment to its board of directors: Zico Kolter. Kolter, a professor and director of the machine learning department at Carnegie Mellon, predominantly focuses his research…

OpenAI adds a Carnegie Mellon professor to its board of directors

Count Spotify and Epic Games among the Apple critics who are not happy with the iPhone maker’s newly revised compliance plan for the European Union’s Digital Markets Act (DMA). Shortly…

Spotify and Epic Games call Apple’s revised DMA compliance plan ‘confusing,’ ‘illegal’ and ‘unacceptable’

Thursday seeks to shake up conventional online dating in a crowded market. The app, which recently expanded to San Francisco, fosters intentional dating by restricting user access to Thursdays. At…

Thursday, the dating app that you can use only on Thursdays, expands to San Francisco

AI companies are gobbling up investor money and securing sky-high valuations early in their life cycle. This dynamic has many calling the AI industry a bubble. Nick Frosst, a co-founder…

Cohere co-founder Nick Frosst thinks everyone needs to be more realistic about what AI can and cannot do

Instagram is rolling out the ability for users to add up to 20 photos or videos to their feed carousels, as the platform embraces the trend of “photo dumps.” Back…

Instagram is embracing the ‘photo dump’

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of transportation. Sign up here for free — just click TechCrunch Mobility! Anyone paying…

Lyft ‘opens a can of whoop ass’ on surge pricing, Tesla’s Dojo explained and Saudi Arabia pumps $1.5B into Lucid

Flint Capital just closed its third fund at $160 million. Its has a unique strategy for finding its limited partner investors. 

Flint Capital raises a $160M through an unusual fund-raising strategy

Earlier this week it emerged that the DPC had instigated court proceedings seeking an injunction against X over the data processing without consent.

Elon Musk’s X agrees to pause EU data processing for training Grok

During testing, Google DeepMind’s table tennis bot was able to beat all of the beginner-level players it faced.

Google DeepMind develops a ‘solidly amateur’ table tennis robot

The X account announced that its Premium+ subscription would now be “fully” ad-free, leading some to question how this change would affect creator earnings.

As X sues advertisers over boycott, the app ditches all ads from its top subscription tier

Apple has further revised its compliance plan for the European Union’s Digital Markets Act (DMA) rulebook, which, since March, has forced it to give iOS developers more freedom over how…

Apple revises DMA compliance for App Store link-outs, applying fewer restrictions and a new fee structure

The rise of neobanks has been fascinating to witness, as a number of companies in recent years have grown from merely challenging traditional banks to being massive players in and…

Chime and Dave execs are coming to TechCrunch Disrupt 2024

If you visited the Wikipedia website on mobile this week, you might have seen a pop-up indicating that dark mode is ready for prime time.

How to enable Wikipedia’s dark mode

The home security company says attackers accessed databases containing customer home addresses, email addresses, and phone numbers.

Home security giant ADT says it was hacked

The Looking Glass Pro has a 6-inch display and a foldable base. It shows spatial images like those created with the Apple Vision Pro and iPhone 15 Pro.

Looking Glass’ new lineup includes a $300 phone-sized holographic display

TikTok’s latest offering is capitalizing on the app’s ability to serve as a discovery engine for other media — something its users already take advantage of by sharing short clips…

TikTok partners with Warner Bros. to become a discovery engine for TV and movies

Cocoon is a new startup built on the belief that greener steel production and the creation of concrete slag doesn’t have to be an either/or proposition.

Cocoon is transforming steel production runoff into a greener cement alternative

SoundHound, an AI company that makes voice interface tech used by car companies, restaurants and tech firms, is doubling down on enterprise services by playing consolidator in a crowded market.…

SoundHound acquires Amelia AI for $80M after it raised $189M+

Seeking mental health support is a complex process, but some founders believe that using AI to formalize techniques like cognitive behavioral therapy (CBT) can help folks who might not have…

Feeling Great’s new therapy app translates its psychiatrist co-founder’s experience into AI

The U.K.’s antitrust regulator has confirmed that it’s carrying out a formal antitrust investigation into Amazon’s ties with Anthropic, after Amazon recently completed a $4 billion investment into the AI startup.…

UK launches formal probe into Amazon’s ties with AI startup Anthropic