EU Digital Markets Act (DMA) 2026 — SaaS Developer Rights: API Interoperability, App Store Alternatives & Gatekeeper Obligations

Post #874 in the sota.io EU Cyber Compliance Series

The EU Digital Markets Act is not just about regulating Apple and Google. It creates enforceable rights for you — the SaaS developer or business user building on, competing with, or interoperating with gatekeeper platforms. Since March 7, 2024, six companies became designated gatekeepers with legally binding obligations. Since March 2025, the Commission has been running enforcement proceedings and accepting complaints from business users who believe their DMA rights are being violated.

If you build mobile apps, integrate with gatekeeper messaging platforms, use gatekeeper app distribution channels, or compete in markets where gatekeepers operate, the DMA gives you rights that did not exist under competition law alone. This guide explains what those rights are, how they work in practice, and how to enforce them.

The DMA Framework: Gatekeepers and Business Users

The DMA applies a two-tier structure. Gatekeepers are large platform operators that have been formally designated by the European Commission. Business users and end users have rights against gatekeepers.

As a SaaS developer, you are a business user if you:

• Distribute software through a gatekeeper platform (iOS App Store, Google Play, Microsoft Store)
• Use a gatekeeper's online intermediation services to reach customers
• Advertise through a gatekeeper's advertising platform
• Offer services interoperating with a gatekeeper's core platform service
• Compete with a gatekeeper-owned service in a market where the gatekeeper also operates

You do not need to meet any size threshold to qualify as a business user. The obligations are on the gatekeeper, not on you.

The Six Designated Gatekeepers (as of 2026)

The Commission designated gatekeepers in September 2023 and March 2024:

Each designation covers specific core platform services (CPS). The obligations apply per CPS, not to the company as a whole. Apple's iMessage obligations are separate from Apple's iOS obligations.

Art.5 Obligations: What Gatekeepers Must Not Do

Article 5 contains the "per se" obligations — things gatekeepers are categorically prohibited from doing, regardless of any potential justification.

Art.5(7): Alternative Payment Systems

Gatekeepers providing app stores must allow business users to offer their own payment mechanisms and link to external payment flows.

What this means in practice:

• You can offer in-app purchases through your own payment processor (Stripe, Mollie, Paddle, etc.) on iOS and Android
• Apple and Google cannot prevent you from informing users that alternative payment options exist
• You can link from within your app to external payment pages
• Gatekeepers cannot impose a commission on transactions conducted through alternative payment systems that equals their own in-app purchase commission

Current enforcement status: Apple launched alternative payment processing in the EEA in March 2024 but imposed a "Core Technology Fee" (€0.50 per install after 1M free installs) plus a 17% commission on App Store transactions and a 10% "alternative payment processing fee." The Commission opened non-compliance proceedings in March 2024. As of May 2026, the proceedings are ongoing. The fee structure Apple imposed does not fully satisfy Art.5(7), and enforcement action is expected.

Action for SaaS developers: If you have a subscription SaaS accessed via iOS, you can now offer web-based payment flows and use in-app communication to direct EU users to them. You cannot be penalised by Apple for this in the EEA. Document any Apple App Store rejections that cite your use of alternative payment methods — this is evidence for a DMA complaint.

Art.5(4): No Self-Preferencing in Rankings

Gatekeepers cannot rank their own services, products, or software more favourably than similar offerings from third parties in indexing, crawling, or ranking results.

For SaaS developers competing with Google Workspace, Microsoft 365, or Amazon-owned services: if you have evidence of systematic ranking disadvantage in search, app store search, or marketplace rankings compared to the gatekeeper's own equivalent product, this is a DMA violation.

Art.5(2): No Combining Personal Data Across CPS Without Consent

Gatekeepers cannot combine personal data from their core platform services with personal data from other services without meeting the Art.7 GDPR consent conditions. This is the DMA's direct interaction with GDPR.

Impact on SaaS: If your users have data on Meta platforms (Facebook, Instagram, WhatsApp) and also use your SaaS, Meta cannot combine that data with cross-service tracking without explicit consent that meets GDPR standards. This constrains Meta's advertising targeting in ways that benefit SaaS developers who do not depend on cross-service tracking.

Art.6 Obligations: What Gatekeepers Must Actively Provide

Article 6 contains "susceptible to specification" obligations — they apply but the Commission may issue implementing acts specifying technical details. These are the provisions that directly create developer rights.

Art.6(4): Side-Loading and Alternative App Distribution

Gatekeepers operating operating systems must allow installation of third-party apps and app stores from outside their own app distribution service.

What this means for iOS developers:

• Apple must allow iOS users in the EEA to install apps from sources other than the App Store
• Apple must allow third-party app stores to operate on iOS in the EEA
• You can distribute your iOS app directly to EEA users without going through the App Store
• Apple cannot technically block installation of apps distributed outside its store for EEA users

Current status: Apple launched alternative distribution in the EEA with iOS 17.4 (March 2024). Alternative marketplaces like AltStore PAL and Setapp Mobile are now operating. Apple imposes a "notarisation" requirement (mandatory code signing) and a Core Technology Fee. The Commission has been assessing whether these conditions comply with Art.6(4). As of May 2026, Apple's implementation is under continued scrutiny.

Practical reality check: Alternative distribution exists but has not reached mass market adoption. For most SaaS developers, App Store distribution remains the primary channel. However, for specialised tools targeting enterprise customers, direct distribution or third-party marketplace distribution is now legally available.

Art.6(7): Interoperability for Third-Party Service Providers

Gatekeepers providing communication services (messaging, social networking) must provide interoperability to third-party providers upon request.

This is the provision that requires Meta to allow other messaging apps to exchange messages with WhatsApp and Messenger users, and requires Apple to allow third-party messaging apps to interoperate with iMessage.

What this creates for SaaS developers:

• You can request interoperability with WhatsApp's messaging infrastructure for your communication SaaS
• You can request interoperability with iMessage for EU users
• The gatekeeper must respond to interoperability requests within three months and implement interoperability within twelve months of a valid request

How to make an interoperability request:

1. Send a written request to the gatekeeper's designated contact for DMA purposes
2. Specify the technical interface you need, the functionality you intend to enable, and the expected usage volume
3. The gatekeeper must respond with an offer, or reject the request with documented technical justification

Current implementation: WhatsApp launched its third-party messaging interoperability API in March 2024 under the WhatsApp Network Interoperability (WNI) API. Signal, Threema, and several other messaging providers have published their assessment of the API. Technical implementation is possible but requires end-to-end encryption handling that is non-trivial. The API uses a modified Signal Protocol.

For SaaS developers building communication tools, CRM with messaging integrations, or customer support platforms: the WNI API now exists as a legal entitlement, not just a business negotiation.

Art.6(9): Data Portability for Business Users and End Users

Gatekeepers must provide effective portability of data generated or provided through their platform by business users and end users, and must provide continuous real-time access to such data.

What this means for SaaS developers:

As a business user competing with a gatekeeper-owned service:

• You can request access to your historical performance data, customer interaction data, and any data you generated on the gatekeeper's platform
• If you operated a Facebook Page and want to move to another platform, Meta must provide your page's historical data in a portable format
• Google must provide you with your Google Ads campaign historical data in a format that can be imported into competing ad platforms

As a SaaS developer building data migration tools:

• Art.6(9) creates a legal entitlement to export data from gatekeeper platforms
• Building a migration tool that serves business users moving away from gatekeeper-owned services is directly supported by this provision
• The gatekeeper cannot impose technical barriers that make migration unreasonably difficult

Art.6(10): Access to Data Collected on Gatekeeper Platforms

Gatekeepers must provide third-party publishers and advertisers with access to the performance measurement tools and data necessary to carry out independent verification of advertising delivered through the gatekeeper's platform.

Impact on SaaS analytics and attribution tools: If you build marketing attribution software or ad analytics tools, this provision gives your customers (advertisers) the legal right to receive granular data from Google Ads, Meta Ads, Amazon Advertising, and TikTok. The gatekeeper cannot restrict access to the data necessary for independent attribution verification.

Art.14: DMA Obligations and GDPR Interaction

The DMA does not override GDPR — it adds obligations on top of GDPR. Where DMA obligations require data sharing, gatekeepers must implement appropriate safeguards.

Key interaction points:

1. Art.6(9) portability vs. GDPR Art.20: GDPR Art.20 portability covers personal data. DMA Art.6(9) covers business-generated data and extends to non-personal data. Where data exported under DMA Art.6(9) contains personal data, GDPR Art.20 safeguards apply.

2. Art.5(2) and GDPR consent: The DMA's prohibition on cross-service data combination without consent references GDPR Art.4(11) consent standards. A consent that does not meet GDPR validity requirements (freely given, specific, informed, unambiguous — Art.7) also fails DMA Art.5(2).

3. Art.6(7) interoperability and data minimisation: When gatekeepers provide messaging interoperability, the data exchanged must be minimised to what is necessary. Gatekeepers cannot require interoperating parties to provide more user data than the functionality requires.

Data localisation and CLOUD Act:

The DMA does not address data localisation or the CLOUD Act directly. If a gatekeeper holds data that is subject to US government access (CLOUD Act), DMA portability provisions cannot be used to require the gatekeeper to move that data to EU jurisdiction. For CLOUD Act-free data access, EU-based infrastructure remains the only route.

How to Enforce Your DMA Rights

Complaint to the European Commission

The primary enforcement route is a complaint to the Commission's DMA enforcement team.

How to file:

• Use the Commission's DMA complaint form: available at competition enforcement portals
• Describe the specific DMA obligation the gatekeeper violated (cite the article number)
• Provide evidence of the violation (screenshots, API responses, rejection notices, correspondence)
• Explain the harm to your business
• The Commission has the power to conduct investigations, impose interim measures, and levy fines

Fines for gatekeepers:

• Up to 10% of total worldwide annual turnover for a first violation
• Up to 20% for repeated infringements
• Up to 5% of average daily worldwide turnover for non-compliance with interim measures

For context: 10% of Alphabet's 2025 revenue is approximately €35 billion. These are not token penalties.

Interim Measures

If the gatekeeper's conduct is causing immediate and serious harm, you can request interim measures. The Commission can act within a preliminary assessment period. Interim measures require a finding of urgency, not a full investigation conclusion.

National Competition Authorities

National competition authorities (NCAs) in EU member states can also investigate DMA violations. The Commission has a mechanism for consistent application, but NCAs are empowered to act on complaints. The German Bundeskartellamt, French Autorité de la concurrence, and Dutch ACM have all been active in DMA-adjacent investigations.

Private Enforcement (Art.39)

Member states must ensure that natural or legal persons can bring actions for damages before national courts where a DMA violation caused them harm. Private enforcement is available alongside Commission proceedings.

Important: Private enforcement actions cannot be pursued simultaneously with Commission proceedings on the same conduct in a way that would conflict with Commission decisions. Coordinate with legal counsel on sequencing.

DMA Obligations Relevant to CLOUD Act and EU Sovereignty

The DMA does not resolve CLOUD Act exposure. If you integrate with WhatsApp Business API (operated by Meta, a US entity), Google Cloud Messaging, or Apple Push Notification Service, your communications infrastructure remains subject to US government demands under the CLOUD Act and Foreign Intelligence Surveillance Act.

DMA interoperability rights give you the technical ability to connect. They do not change the jurisdictional exposure of the gatekeeper's infrastructure.

If CLOUD Act exposure matters for your customers:

• Use DMA portability rights to migrate your data away from gatekeeper storage
• Use DMA side-loading rights to distribute your app without App Store dependency for enterprise customers
• Build interoperability via open federation protocols (Matrix, XMPP) as an alternative to WhatsApp WNI API
• Host customer data on EU-jurisdiction infrastructure independent of gatekeeper platforms

Implementation Checklist for SaaS Developers

If you distribute on iOS/Android:

• Assess whether alternative payment processing is viable for your subscription model in the EEA
• Review Apple's Core Technology Fee to determine cost impact vs. commission saving
• Evaluate third-party iOS marketplace distribution for enterprise-specific tooling
• Document any App Store rejection on DMA-compliance grounds for potential complaint use

If you build communication or messaging features:

• Review WhatsApp WNI API documentation for interoperability eligibility
• Submit interoperability request to Apple if iMessage integration is needed for your EU users
• Assess Signal Protocol implementation requirements for encrypted interoperability

If you compete with gatekeeper-owned services:

• Request data portability from relevant gatekeepers for your historical business data
• Document ranking patterns in gatekeeper search/marketplaces for potential self-preferencing evidence
• Evaluate whether the Commission's open investigations cover conduct harming your business

If you build marketing or analytics SaaS:

• Inform customers of their Art.6(10) rights to independent ad measurement data from gatekeepers
• Assess whether your attribution methodology can leverage DMA-mandated data access

For all:

• Identify which gatekeeper CPS your business depends on
• Map specific DMA articles that apply to each dependency
• Establish internal process for documenting gatekeeper conduct that may constitute DMA violations

DMA 2026 Enforcement Status

Commission proceedings are public. Checking the status of proceedings relevant to your business is free and helps you assess whether a complaint would be duplicative or additive.

What DMA Does Not Cover

The DMA does not apply to:

• B2B SaaS that does not distribute through gatekeeper platforms
• Infrastructure services that are not designated core platform services
• Data processing that does not involve a gatekeeper intermediating between business users and end users
• Business relationships with non-gatekeeper cloud providers (AWS, Azure, GCP at the IaaS level are not DMA-designated CPS for most purposes)

The DMA is focused on platform intermediation — situations where a gatekeeper sits between you and your customers or users. If your SaaS reaches customers directly and does not depend on a gatekeeper platform as an intermediary, the DMA's Art.5–6 obligations do not directly apply to your relationship.

Connecting DMA to Your Stack Decisions

For SaaS developers making infrastructure and platform decisions:

Mobile distribution: DMA gives you legal alternatives to single App Store distribution in the EEA. This reduces lock-in risk and gives you negotiating leverage on commission structures. Evaluate alternative marketplaces for enterprise-specific tooling.

Messaging integrations: WhatsApp WNI API is now a legal entitlement, not a favour. Build messaging features that leverage this without depending on proprietary WhatsApp Business API terms that could be changed unilaterally.

Advertising and analytics: DMA Art.6(10) data rights reduce your dependency on gatekeeper-controlled measurement. Build attribution that uses DMA-mandated data access rather than trusting gatekeeper-reported metrics.

Data migration tooling: DMA portability creates a market for tools that help businesses move data out of gatekeeper platforms. If your SaaS serves businesses that are dependent on gatekeeper-stored data, building DMA-compliant migration tooling is a defensible market position.

Infrastructure: The DMA does not mandate EU-jurisdiction hosting. For GDPR compliance, CLOUD Act isolation, and NIS2 supply chain security requirements, EU-native PaaS infrastructure remains the relevant frame. DMA is complementary, not substitutive.

GDPR basis for this post: Analysis of publicly available DMA legislative texts, Commission enforcement decisions, and designated gatekeeper compliance reports.

DMA reference: Regulation (EU) 2022/1925. Gatekeeper designation decisions: C(2023) 6246 (September 2023), C(2024) 1337 (March 2024). Commission DMA enforcement portal: competition enforcement documentation public.