The relationship between the European Union and large technology companies is going through a period of growing tensions, fueled by intense debates on competition, digital security, data governance, and platform responsibility. In this highly complex environment, the Digital Markets Act (DMA) emerges as the most ambitious regulatory framework designed by the bloc to rebalance forces in digital markets marked by strong network effects, ecosystem economies, and structural barriers to entry.
It is in this context that Apple recently notified the European Commission that Apple Ads and Apple Maps now meet the size and impact thresholds set out in the DMA. Although formally procedural, this move symbolizes another chapter in the practical implementation of the regulation and reactivates discussions about the degree of state intervention necessary to ensure contestability and transparency in digitally concentrated markets.
The requirements imposed by the Commission—such as opening up the iOS system, allowing alternative app stores, and expanding the interoperability of Apple Pay—are presented as measures aimed at correcting historical power asymmetries. Apple, for its part, argues that such obligations amplify fraud risks, compromise operational security, and threaten the technical integrity of its integrated ecosystem.
In a scenario of growing socioeconomic dependence on digital platforms — each built on its own technological incentives, commercial strategies, and control architectures — the debate transcends the Apple case and reveals a broader regulatory dilemma: how to promote competition and openness without destabilizing ecosystems whose efficiency derives precisely from integration and standardization?
The DMA establishes a specific regime for digital platforms that hold a systemic position in the European market. Although European competition law does not consider large size alone to be a competition problem, the European Commission has come to recognize that a small number of large-scale platforms increasingly act as gateways—or gatekeepers—between user companies and end users, enjoying an entrenched and lasting position, often consolidated by the formation of conglomerate ecosystems around central services, which reinforces existing barriers to entry.
Once designated as gatekeepers, these companies are subject to ex ante structural obligations designed to: (i) prevent self-preferencing practices; (ii) ensure interoperability and data portability; (iii) ensure a level playing field for companies using their platforms; and (iv) promote greater contestability in highly concentrated markets.
For designation purposes, the DMA establishes objective thresholds based on annual revenue, number of users, and presence in the domestic market. Once these thresholds are exceeded, the company must formally notify the Commission, which then assesses the classification as a gatekeeper and, if applicable, imposes specific obligations proportional to the systemic impact of the service.
Unlike traditional antitrust law, which acts predominantly on conduct and usually requires proof of abuse of a dominant position, the DMA was designed as an instrument aimed at neutralizing structural effects derived from size, gatekeeping power, and the strong network effects that characterize digital markets. Its goal is to reduce barriers to entry and level competitive conditions, especially in consolidated segments such as operating systems, messaging platforms, marketplaces, and digital advertising.
Despite its innovative nature and broad support from sectors that see big tech companies as having excessively concentrated power, the DMA also faces substantial criticism. For some analysts, its intervention comes too late in already consolidated markets, where competitive diversity has become difficult to reestablish. This is a point recognized even by the regulation's own drafters, who identify significant challenges in reversing deeply entrenched market structures.
Under the logic that inspires the DMA, requiring interoperability, opening operating systems, and allowing alternative app stores would be a way to increase contestability and decentralize the European mobile device market. However, many of these obligations directly affect the technical architecture of platforms such as iOS, bringing regulation closer to a kind of normative systems engineering — and it is precisely at this point that more delicate frictions between security, innovation, and competition emerge.
Apple's criticism focuses on the claim that forcing iOS to open up would significantly increase the attack surface by allowing installations outside the App Store — an environment subject to continuous security audits — and by reducing the sandboxing, cryptographic verification, and proprietary screening controls that have historically structured the system's defensive architecture.
The company further argues that the requirements for interoperability and sharing of sensitive technologies with third parties, whose protection standards may not be equivalent, create additional risks of vulnerabilities and undermine the integrated ecosystem experience, an element it considers central to its value proposition.
According to Apple, the DMA also imposes an undesirable reversal in its development and innovation cycle by requiring certain operating system features to operate from the outset in non-Apple environments and applications, even before they are released in the final interface to consumers. This move, the company argues, creates a kind of regulatory dependency, subjecting the technological evolution of iOS to external constraints that go beyond competitive logic.
On the legal front, Apple argues regulatory overreach, claiming that the European Commission's actions go beyond the legitimate goal of promoting competition and strike at the heart of its technological governance, posing structural risks to its business model, operational security, and ecosystem integrity. It is, therefore, a criticism that combines technical, strategic, and regulatory elements, seeking to demonstrate that regulatory intervention would have potentially adverse effects on innovation and the resilience of the system itself.
This episode reveals a structural dilemma in contemporary European digital policy, present in both the DMA and the Digital Services Act (DSA): the search for a simultaneous balance between security, competition, and innovation in markets characterized by strong technical asymmetry and high operational complexity. In this process, questions arise that challenge the limits of regulatory design:
In the absence of a robust cost-benefit analysis—one that considers general equilibrium effects, impacts on the attack surface, and security externalities—structural regulations can unintentionally redesign incentives, producing systemic inefficiencies or shifting risks without eliminating them. This is not to deny the relevance of public intervention in highly concentrated sectors: regulation is essential to correct market failures, avoid lock-in, ensure interoperability, and stimulate innovation.
The risk arises when regulation exceeds proportionality limits, excessively interfering with the technical architecture of products, imposing obligations disconnected from risk analysis, or assuming technological premises that do not hold true in practice. At this point, the norm ceases to correct dysfunctions and begins to produce new asymmetries, altering the operating logic of ecosystems that support millions of users and developers—with consequences that can reverberate far beyond the original intentions of the legislator.
The dispute between Apple and the European Commission highlights a broader problem of global digital governance: the regulation of technologically complex markets requires a delicate balance between openness, security, and technical feasibility.
The DMA represents a significant step forward in addressing the structural power of dominant platforms, but its effectiveness will depend on the ability to integrate rigorous technical assessments, ongoing risk analysis, and gradual implementation mechanisms capable of adjusting obligations to the operational reality of the systems it regulates.
Without this fine calibration, regulatory enforcement risks compromising precisely what it seeks to safeguard: the integrity of digital ecosystems, the resilience of technological infrastructures, and, above all, user confidence, a central element for the sustainable functioning of interconnected digital markets.
• What changed
Apple formally notified the European Commission that Apple Ads and Apple Maps meet the DMA thresholds, triggering the possibility of their designation as gatekeeper services. While procedurally expected, the notification accelerates the practical enforcement phase of the Digital Markets Act and brings the regulation closer to the core technical architecture of Apple’s ecosystem—particularly iOS, payments, advertising, and mapping services.
• Why it matters (not business as usual)
This is not a conventional competition case focused on abusive conduct. The DMA operates as ex ante structural regulation, imposing obligations based on systemic position, not wrongdoing. In practice, enforcement increasingly resembles normative systems engineering, requiring dominant platforms to redesign interoperability, distribution, and access layers. This shifts the regulatory debate from market behavior to technical governance, security externalities, and ecosystem integrity.
• Executive impact
For platform operators, developers, and ecosystem partners, the DMA’s application to Apple signals:
• Architectural intervention risk: obligations may require changes to OS-level security, app distribution, and payments.
• Security and liability exposure: expanded attack surfaces, fraud vectors, and unclear responsibility allocation.
• Innovation-cycle constraints: product design and feature rollout may become partially contingent on regulatory approval and third-party readiness.
• Compliance spillovers: even non-gatekeepers operating within gatekeeper ecosystems inherit new risk and compliance burdens.
• Where to go deep
• The DMA as structural (not behavioral) competition law and its departure from classic antitrust logic.
• Interoperability and alternative app stores as tools of contestability versus sources of systemic risk.
• The overlap and tension between the DMA (competition) and the DSA (security and responsibility).
• Allocation of liability in fragmented ecosystems created by mandatory openness.
• Next steps
• Conduct a technical–legal impact assessment of DMA obligations on system architecture and security models.
• Align legal, engineering, security, and product teams around a shared risk taxonomy.
• Develop user-facing transparency and education strategies to preserve trust in differentiated ecosystems.
This section gives quick answers to the most common questions about this insight. What changed, why it matters, and the practical next steps. If your situation needs tailored advice, contact the RNA Law team.
Q: What changed, and why is this not “business as usual”?
A: Apple’s notification moves the DMA from theory to hands-on enforcement. The regulation no longer targets abstract market power but directly affects how platforms are engineered, distributed, and secured. This elevates the debate from competition policy to system design and operational risk.
Q: What is the core regulatory tension exposed by the Apple case?
A: The central tension is between contestability and security. Measures intended to open markets—alternative app stores, expanded interoperability—may weaken centralized control mechanisms that underpin system integrity, fraud prevention, and user trust.
Q: Is Apple arguing against competition as such?
A: Not formally. Apple frames its position as a risk-based critique, arguing that certain DMA obligations overshoot proportionality by mandating openness without sufficient consideration of security externalities, technical feasibility, and liability allocation.
Q: Why does this matter beyond Apple?
A: Because the DMA sets a regulatory template. If obligations requiring deep architectural changes become normalized, other gatekeepers—and even smaller firms operating within their ecosystems—will face similar pressures, reshaping innovation incentives across the digital economy.
Q: How does this relate to the Digital Services Act (DSA)?
A: The DMA and DSA pursue complementary but sometimes conflicting goals. While the DMA promotes openness and competition, the DSA emphasizes risk mitigation, platform responsibility, and user protection. The Apple case illustrates how these objectives can collide at the technical layer.
Q: Who bears responsibility when something goes wrong in an opened ecosystem?
A: That is precisely one of the unresolved issues. Mandatory openness fragments control, potentially diffusing responsibility among platform operators, developers, and intermediaries—raising complex questions of liability, enforcement, and user redress.
Q: What should organizations do in the next 30–90 days?
A:
• Monitor DMA enforcement actions not only legally, but technically.
• Map how regulatory obligations may reallocate security and liability risks across the value chain.
• Prepare governance frameworks that integrate competition compliance with cybersecurity and product integrity.
