Governing the Gatekeepers: How the DSA and DMA Are Testing Whether Democratic Law Can Discipline Platform Power

In March 2026, the European Commission's Digital Markets Act task force issued its third formal non-compliance finding against Apple in twelve months, this time concerning the company's implementation of the "browser choice screen" requirement — a provision requiring that EU users of iOS devices be presented with a genuine choice of browser at device setup, rather than defaulted to Safari in conditions that the Commission determined constitute "technical friction designed to preserve default status." The finding followed Apple's payment of a €1.84 billion fine for DMA violations in the streaming music market — itself the largest digital markets fine ever levied — and came alongside an ongoing investigation into Apple's App Store fee structure, which the company had restructured in a manner that regulators characterised as "compliant in letter, evasive in spirit." The phrase captured something important: the central dynamic of EU platform regulation in 2026 is not defiance but creative compliance — the systematic deployment of corporate legal architecture against the intent of democratic law.

The DSA and DMA, adopted together in 2022 and entering full enforcement in 2024, represent an unprecedented attempt to make legible, and therefore governable, the opaque algorithmic, commercial, and infrastructural decisions through which a small number of platform corporations exercise what is effectively public power without public accountability. The ambition is real. The instruments are novel. The enforcement record to date is a study in the gap between regulatory design and the structural advantages that platform corporations retain when confronted with democratically enacted law.

What the DSA and DMA Actually Require — and Why It Matters

The regulatory architecture is worth understanding precisely because its scope is genuinely unprecedented. The Digital Services Act imposes obligations across a tiered structure, with the most demanding requirements falling on "very large online platforms" (VLOPs) and "very large online search engines" (VLOSEs) designated by the Commission: Meta's Facebook and Instagram, Google Search and YouTube, TikTok, Amazon Marketplace, Apple's App Store, Microsoft Bing, and Zalando, among others. These obligations include annual systemic risk assessments identifying how their services amplify illegal content, disinformation, or harm to minors; algorithmic transparency requirements permitting researchers and regulators to audit recommendation systems; a right for users to receive chronological rather than ranked feeds; mandatory data access for vetted academic researchers; and crisis response mechanisms activatable by the Commission in defined emergencies.

The Digital Markets Act operates through a different logic: it designates "gatekeepers" — platforms controlling "core platform services" above defined revenue and user thresholds — and imposes ex ante obligations rather than waiting for market harm to be demonstrated through case-by-case competition enforcement. Gatekeepers must allow third-party app stores and sideloading; permit developers to steer users to offers outside the gatekeeper's ecosystem; provide advertisers and publishers with transparent pricing and performance data; ensure interoperability of messaging services with third-party platforms; and refrain from self-preferencing their own products in rankings or results.

The framework has generated exactly the compliance theatre that structural power imbalances produce: elaborate technical implementations that satisfy the formal reading of each requirement while preserving the commercial reality the requirement was designed to disrupt.

The Compliance Theatre: Apple, Meta, and the Art of Structured Evasion

Apple's response to the DMA's third-party app store requirement is the clearest case study in structured evasion. When the DMA required that iOS permit installation of apps from sources other than the App Store, Apple implemented "alternative marketplace" rules that imposed a "core technology fee" of €0.50 per install per year on apps distributed outside the App Store — a fee that, at the user volumes of major applications, would have imposed costs exceeding the App Store's 30% commission, effectively making alternative distribution economically irrational. The Commission opened an investigation; Apple modified the fee structure; the Commission issued a non-compliance finding; Apple appealed. The process is now in its third iteration.

Meta's DSA compliance around the "subscription or consent" model — offering users a choice between paying €9.99 per month for an ad-free experience or consenting to data-based advertising — initially passed regulatory scrutiny before the Commission determined in late 2025 that the binary choice itself constituted a form of "dark pattern," presenting consent as economically equivalent to a subscription when the data being gathered had commercial value far exceeding the subscription fee. The Commission's working paper held that the extraction imperative embedded in behavioral advertising cannot be made legitimate merely by offering users the option to pay for its absence, because doing so commodifies the right to privacy rather than protecting it.

The algorithmic transparency provisions have proved equally resistant to genuine accountability. The DSA requires VLOPs to provide "meaningful information" about the parameters affecting content recommendation. What "meaningful" requires has been contested at every step: platforms have provided documentation of the inputs to recommendation systems while declining to expose the weighting functions, the feedback loops, or the commercial arrangements that shape what those inputs produce. The Commission's Digital Services Coordinator network — a distributed enforcement mechanism that delegates primary oversight to national regulators while the Commission handles VLOPs directly — has struggled to develop the technical capacity to evaluate what it receives.

The Structural Problem: Regulatory Capture at Scale

The enforcement dynamic reveals a structural problem that no regulatory instrument alone can solve: the disparity between the technical capacity of platform corporations and the institutions charged with regulating them. Apple employs more lawyers than the European Commission's entire competition and digital markets directorate. Google's internal policy team alone numbers in the hundreds; the DMA task force responsible for Google enforcement had, as of late 2025, fewer than thirty officials. The information asymmetry that this produces is not a failure of will but a structural feature of the relationship between globalised platform capital and territorially bounded democratic institutions.

A partial remedy would be public investment in regulatory technical capacity analogous to the investment in scientific capacity that produced European excellence in particle physics or aerospace. The Commission's proposal for a European Centre for Algorithmic Transparency (ECAT), attached to the Joint Research Centre, is a move in this direction — but its proposed staffing of 120 researchers for 2026 compares unfavourably with the AI research divisions of the platforms it is meant to evaluate. Regulators depend on platforms for the technical information needed to evaluate platform compliance — a dependency that structurally advantages the regulated party.

The DMA's interoperability requirements for messaging — which would require Meta's WhatsApp and iMessage to accept messages from third-party clients — remain partially unimplemented and actively litigated. The technical implementation challenges are real, as the platforms argue; but the pace of implementation also reflects a corporate calculation that litigation delay is preferable to interoperability that would reduce switching costs and erode network effects.

Stakes: What Governance Failure Means for Democratic Accountability

The stakes of the DSA/DMA enforcement contest extend beyond European digital markets policy. The EU regulatory framework is explicitly designed as a "Brussels Effect" instrument: a regulatory standard ambitious enough that global platforms find it rational to implement it universally rather than maintain separate compliance architectures for different jurisdictions. If the enforcement record demonstrates that sophisticated corporate actors can systematically neutralise the intent of democratic regulation through compliance theatre, the Brussels Effect works in reverse — not as a global floor for platform accountability but as a demonstration that democratic law cannot effectively govern platform power.

The alternative interpretations are worth taking seriously. Some regulatory scholars argue that the DMA's first two years of enforcement should be judged against the counter-factual of no regulation at all: Apple has opened iOS to third-party app stores at some level; Meta has provided researcher data access it previously refused; Google has modified its search results page in ways that have measurably reduced self-preferencing in some product categories. These are not trivial achievements.

But the larger question — whether democratic governance can discipline the structural power of platform gatekeepers without dismantling the corporate architecture that produces that power — remains unanswered. The DSA and DMA are the most serious attempt to answer it in the affirmative. Their enforcement record in 2026 suggests that the answer requires not only better regulatory instruments but a political commitment to investing in the public capacity — technical, legal, financial — to make those instruments effective against adversarial capital that spends more on compliance evasion than most national regulatory bodies spend on everything.

The Monexus tech desk covers EU platform regulation through the lens of structural power rather than treating every fine as a victory — because compliance theatre is not accountability.