Executive Summary
The Digital Markets Act (Regulation (EU) 2022/1925) represents a massive regulatory paradigm shift in the digital economy. Rather than relying on slow, reactive antitrust investigations, the DMA imposes proactive, ex-ante obligations on a selected group of systemic digital platforms designated as "Gatekeepers." As of mid-2026, the European Commission has fully designated six global tech conglomerates (Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft) across 22 Core Platform Services (CPS), including operating systems, web browsers, search engines, app stores, and messaging networks.
While much of the media coverage focuses on the restrictions imposed on these Gatekeepers, the DMA functions as a legal shield and a competitive enabler for B2B software vendors and enterprise SaaS developers. By establishing clear rights to interoperability (Article 6(7)) and real-time data portability (Article 6(9)), the regulation legally obligates Gatekeepers to open up API endpoints and hardware components that were previously locked behind proprietary paywalls.
This guide details how enterprise SaaS architectures can leverage these new rights, implement compliant data pipelines, and navigate the technical restrictions of the DMA.
1. Defining the Core Platform Services and Gatekeeper Criteria
To be bound by the DMA, a platform must provide a Core Platform Service (CPS) and meet specific financial and user thresholds under Article 3.
CPS Classifications
Under Article 2(2), Core Platform Services include:
- Online intermediation services (e.g., app stores, marketplaces)
- Search engines
- Social networking services
- Video-sharing platform services
- Number-independent interpersonal communications services (messaging apps)
- Operating systems
- Web browsers
- Virtual assistants
- Cloud computing services
- Advertising services provided by a gatekeeper
Designation Metrics
The Commission designates a company as a gatekeeper if it meets these quantitative indicators:
- Financial Scale: An annual EU turnover of ≥ €7.5 billion in each of the last three financial years, OR a market capitalization of ≥ €75 billion in the last financial year.
- Gateway Significance: The CPS serves ≥ 45 million monthly active end-users established or located in the EU, and ≥ 10,000 active annual business users established in the EU.
Historical Context (2025-2026): Following the initial designations in late 2023, the Commission conducted several investigations, leading to the designation of ByteDance's TikTok and specific ecosystem features of Apple (e.g., iPadOS) and Microsoft (Windows) under the DMA guidelines. By June 2026, compliance audits have become highly standardized.
2. Technical Interoperability Rights (Article 6(7))
Article 6(7) requires Gatekeepers to allow providers of services and providers of hardware free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware, or software features that are available or used in the provision by the gatekeeper of its own services or hardware.
SaaS Architecture Applications
This mandate forces Gatekeepers to expose APIs that permit third-party applications to interact directly with hardware chips and operating system microservices. Key touchpoints include:
Near Field Communication (NFC) Secure Elements
Apple is legally obligated to allow third-party banking, ticketing, and enterprise access control apps to utilize the secure element and NFC antennas on iOS devices on equal terms as Apple Pay.
Background Execution and Resource Allocation
Operating systems cannot prioritize native background processes while aggressively throttling equivalent B2B synchronization services (e.g., background databases, real-time security scanners).
Device-to-Device Connectivity
Third-party smart accessories (wearables, industrial scanning guns) must have access to the same Bluetooth, Wi-Fi Direct, and pairing protocols used by the Gatekeeper's first-party products.
3. Real-Time Data Portability and API Access (Article 6(9))
Under Article 6(9), Gatekeepers must provide business users (such as SaaS platforms) with high-quality, continuous, and real-time access to, and use of, aggregated and non-aggregated data, including personal data, that is generated in the context of the use of the relevant core platform services.
Data Ingestion Integration
For CRM, business intelligence, and marketing automation platforms, this means Gatekeepers must provide direct API webhooks or real-time event streaming interfaces rather than relying on delayed batch CSV exports.
- Aggregated Analytics: Direct access to real-time ad performance data, search query metrics, and click-through tracking without intermediate Gatekeeper processing filters.
- Diagnostic Telemetry: Detailed logging of crash reports, latency metrics, and API response statistics for third-party apps running inside Gatekeeper operating systems or cloud environments.
Technical Portability Configuration Example
SaaS platforms can request continuous real-time data feeds via standardized webhook integrations. Below is an example YAML deployment configuration detailing a SaaS webhook connector designed to pull user-authorized analytics data from a Gatekeeper service:
connector:
name: "dma-realtime-telemetry-ingest"
version: "2026.1"
protocol: "webhooks"
security:
auth_mechanism: "OAuth2"
grant_type: "authorization_code"
token_endpoint: "https://auth.gatekeeper-platform.eu/oauth/v2/token"
encryption: "TLS_1.3"
ingest_endpoints:
- path: "/v1/dma/portability/ad-performance"
method: "POST"
event_type: "realtime.analytics.update"
rate_limit_max_rps: 50
- path: "/v1/dma/portability/app-diagnostics"
method: "POST"
event_type: "realtime.telemetry.crash"
rate_limit_max_rps: 100
data_mapping:
fields:
external_user_id: "$.user.hashed_id"
engagement_duration_seconds: "$.metrics.active_duration"
platform_operating_system: "$.device.os_version"
4. Alternative App Distribution and Sideloading (Article 6(4))
The DMA prohibits Gatekeepers from restricting the installation of third-party applications or alternative app stores. This is particularly relevant for enterprise mobility managers (MDM) and corporate IT departments.
Enterprise App Sideloading
- Direct Installation: B2B companies can distribute proprietary employee apps directly via corporate portals or local servers, bypassing the Gatekeeper's public app review pipeline and verification procedures.
- Alternative Stores: Corporations can set up private enterprise app stores to distribute audited software packages without paying the Gatekeeper's licensing fees or billing commissions.
- Browser Interoperability: Browsers running on mobile operating systems are no longer forced to use the Gatekeeper's native rendering engines (e.g., WebKit on iOS). Browsers can compile their own engines (like Chromium or Gecko) for mobile devices, enabling advanced web application functionalities.
5. Architectural Data Flow: DMA Interoperability
The flowchart below demonstrates the legally protected data pathways established by the DMA, enabling B2B SaaS applications to bypass Gatekeeper proprietary barriers and establish direct integrations.
graph TD
subgraph User Device (EU Region)
A[B2B SaaS Mobile Application]
B[Gatekeeper Operating System]
C[OS Hardware: NFC / Secure Element]
end
subgraph Gatekeeper Infrastructure
D[Core Platform Service - CPS]
E[Proprietary API Firewall]
F[DMA Compliance API Endpoint]
end
subgraph SaaS Cloud Infrastructure
G[SaaS Backend Server]
H[SaaS Analytics & DB Engine]
end
A -- 1. Request NFC Access --> B
B -- 2. DMA Interoperability Check --> C
A -- 3. Direct Hardware Call --> C
A -- 4. User Interaction Telemetry --> D
D -- 5. Standard Route (Blocked/Delayed) --> E
D -- 6. Real-Time Export (Article 6(9)) --> F
F -- 7. Secure Webhook Push (TLS 1.3) --> G
G --> H
6. Strategic Bans on Gatekeeper Behavior
To protect business users from retaliation, the DMA explicitly outlaws several common anti-competitive tactics:
- No Self-Preferencing (Article 6(5)): Gatekeepers are prohibited from ranking their own services or products more favorably in search results, app store indexing, or directory structures.
- No Cross-Service Data Combination (Article 5(2)): Gatekeepers cannot merge personal data collected from a core platform service with data gathered from other services (e.g., combining search history with messaging activity) unless the user is presented with a specific choice and has given explicit consent.
- No Anti-Steering (Article 5(4)): Gatekeepers must allow business users to promote offers to end-users and conclude contracts outside the gatekeeper's platform, free of charge. Users cannot be blocked from accessing web-based payment systems or promotional materials.
7. Compliance and Negotiation Checklist for B2B Teams
B2B SaaS product managers and system architects should use this checklist to audit their integrations and capitalize on DMA rights:
- [ ] Verify Core Integrations: Audit all connections with designated Gatekeeper services (e.g., Salesforce-Google integrations, Microsoft 365, iOS/Android device integrations).
- [ ] Demand Equal Access: If a Gatekeeper restricts your application's access to background synchronization, hardware APIs, or system notifications, initiate a formal request under Article 6(7).
- [ ] Configure Portability APIs: Transition your analytics pipelines from scheduled file downloads to the Gatekeeper's DMA-compliant real-time webhook streaming endpoints.
- [ ] Implement Browser-Specific Features: If building web-based tools, leverage the browser engine freedom on mobile devices to implement advanced WebAssembly, caching, and custom rendering pipelines.
- [ ] Audit App Distribution Costs: Evaluate if your corporate B2B app distribution can transition to direct sideloading or alternative marketplace frameworks to bypass app store revenue fees in the European Union.
tuncstudio
EU Compliance Team
Providing clear and actionable EU compliance guides for small and medium enterprises.