What the EU's DSA and DMA Mean for AdTech
Companies operating in programmatic advertising and digital marketing have grown accustomed to the European Union introducing legislation aimed at various corners of their businesses.
Over the years, the EU has enacted privacy laws governing how personal data is collected and shared — the ePrivacy Directive and the General Data Protection Regulation (GDPR) being the most prominent examples.
More recently, the EU's focus has shifted to anti-competitive behaviour in digital advertising and marketing. The result has been a series of antitrust investigations into the dominant tech platforms of the open Internet — chiefly Google, Meta, Apple, and Amazon — with the UK government running parallel inquiries of its own.
The EU's latest legislative move consists of two complementary laws designed to curb anti-competitive conduct, foster fairer competition in digital markets, and reinforce consumers' fundamental rights: the Digital Markets Act (DMA) and the Digital Services Act (DSA).
This piece covers what each law does, what the EU intends to accomplish with them, and the practical implications for the tech giants, AdTech vendors, publishers, and advertisers.
Key Points
- The DMA and DSA are two centrepieces of the European digital strategy. While complementary, they operate in distinct domains.
- The DMA is designed to make competition in digital markets fairer and more open, targeting the behaviour of large platforms — referred to in the legislation as "gatekeepers."
- The DSA focuses on protecting consumers and their rights by mandating transparency, combating illegal content, and holding online platforms accountable.
- The biggest DMA impact falls on Google, Apple, Meta, and Amazon.
- There are DSA and DMA provisions that AdTech companies, publishers, and advertisers will need to follow to avoid penalties.
- Both laws take effect 20 days after publication in the EU Official Journal. The DSA applies after fifteen months from publication or January 1, 2024, whichever is later. The DMA allows a grace period of only 6 months before full application.
What Is the Digital Markets Act (DMA)?
The DMA is designed to make competition in digital markets fairer and more open while better protecting the fundamental rights of EU consumers. It achieves this by regulating the behaviour of the largest tech platforms — the so-called "gatekeepers."
Here is what the DMA sets out to do, with context on each provision:
Apply only to major providers of core platform services most prone to unfair practices — search engines, social networks, and online intermediation services — that meet the objective criteria to be designated as gatekeepers.
This squarely targets Google, Meta, Apple, and Amazon.
Define quantitative thresholds as a basis for identifying presumed gatekeepers. The European Commission will also have powers to designate companies as gatekeepers following a market investigation.
The thresholds are expected to be partly revenue-based, ensuring the largest platforms are captured.
Prohibit clearly unfair practices, such as blocking users from uninstalling pre-installed software or apps on their devices.
This affects Google, Apple, and Microsoft alike, all of which bundle applications on their devices that users cannot always remove.
Require gatekeepers to proactively enable third-party software to interoperate with their own services.
Apple Pay is the cited example. In May 2022, the European Commission released preliminary findings from its antitrust investigation into Apple over its practices around mobile wallets on iOS devices. The Commission's position is that Apple abuses its dominant position by denying third-party developers access to NFC-enabled contactless payments on iOS, effectively making Apple Pay the only available contactless option for users.
Impose sanctions for non-compliance, including fines of up to 10% of worldwide turnover. For repeat infringers, structural measures — potentially including the divestiture of business units — may apply.
It's worth noting that the DMA's maximum fine exceeds the GDPR's 4% cap on worldwide turnover. The divestiture provision is noteworthy but carries a significant limitation: the EU can only compel companies incorporated in the European Union to spin off businesses. That means Google, Meta, Apple, and Amazon fall outside its reach on that specific remedy — only the US government holds that power, and even there it would face a substantial legislative battle.
The EU has spent years attempting to rein in American tech giants with limited success. The DMA represents the latest mechanism for imposing competitive obligations — and in some respects, for generating meaningful financial leverage — over these companies while aiming to protect EU consumers.
Allow the Commission to carry out targeted market investigations to assess whether new gatekeeper practices or services should be brought within scope, ensuring the rules keep pace with fast-moving digital markets.
In practical terms: more antitrust investigations to follow.
What Is the Digital Services Act (DSA)?
The DSA is a law focused on the growth and competitiveness of businesses of all sizes while protecting consumers and their rights. It aims to establish a level playing field in the digital market, with a strong emphasis on transparency, accountability, and protecting users from illegal content.
Beyond EU citizens, the DSA addresses three additional groups:
- Providers of digital services
- Business users of digital services
- Society at large
According to official EU documentation, the DSA will:
Establish mechanisms and "trusted flaggers" to counter illegal goods, services, and content online.
Both users and platforms will be able to flag items recognized as illegal — counterfeit products, prohibited services, harmful content — and mechanisms for doing so will be easily accessible.
Force transparency of business users in online marketplaces.
Sellers will be able to verify whether their products or services have been flagged in official databases. New obligations will strengthen buyers' confidence and increase marketplace trust.
Protect users' safety and fundamental freedom of expression.
Users who disagree with a platform's content moderation decisions will have the ability to challenge them, creating more room for independent creators, social minorities, and open discourse.
Ban certain types of targeted advertising on online platforms.
Ads targeting minors and ads using sensitive personal data — ethnicity, political views, sexual orientation — will be prohibited. This consolidates rules that platforms have previously navigated through a patchwork of separate regulations.
Bring transparency to online platforms, including on the algorithms used for content recommendations.
Users and businesses will be able to learn how platforms personalize content and how advertising mechanisms such as ad targeting and product recommendations function.
Increase safety obligations for very large platforms and very large search engines.
Independent audits of risk management systems will be introduced to prevent misuse of platforms' and search engines' systems.
Open access for researchers to major platforms' key data, in order to understand how online risks evolve.
Greater cooperation between researchers and large online services is expected to improve the ability to anticipate and prevent harmful activities, scams, and illegal commerce.
Establish a European Board for Digital Services to support EU member states in overseeing the new digital landscape, while very large platforms remain under direct European Commission supervision.
| Obligation | Intermediary services | Hosting services | Online platforms | Very large platforms |
|---|---|---|---|---|
| Transparency reporting | ✓ | ✓ | ✓ | ✓ |
| Requirements on terms of service due account of fundamental rights | ✓ | ✓ | ✓ | ✓ |
| Cooperation with national authorities following orders | ✓ | ✓ | ✓ | ✓ |
| Points of contact and, where necessary, legal representative | ✓ | ✓ | ✓ | ✓ |
| Notice and action and obligation to provide information to users | ✓ | ✓ | ✓ | |
| Reporting criminal offences | ✓ | ✓ | ✓ | |
| Complaint and redress mechanisms and out of court dispute settlement | ✓ | ✓ | ||
| Trusted flaggers | ✓ | ✓ | ||
| Measures against abusive notices and counter-notices | ✓ | ✓ | ||
| Special obligations for marketplaces, e.g. vetting credentials of third party suppliers ("KYBC"), compliance by design, random checks | ✓ | ✓ | ||
| Bans on targeted adverts to children and those based on special characteristics of users | ✓ | ✓ | ||
| Transparency of recommender systems | ✓ | ✓ | ||
| User-facing transparency of online advertising | ✓ | ✓ | ||
| Risk management obligations and crisis response | ✓ | |||
| External & independent auditing, internal compliance function and public accountability | ✓ | |||
| User choice not to have recommendations based on profiling | ✓ | |||
| Data sharing with authorities and researchers | ✓ | |||
| Codes of conduct | ✓ | |||
| Crisis response cooperation | ✓ |
New obligations for intermediary services, hosting services, online platforms, and very large platforms.
What's the Difference Between the DMA and DSA?
Both laws are centrepieces of the European digital strategy, and while they are complementary, they operate in distinct areas.
The DSA's primary objective is to protect Internet users. It does this by creating new obligations for online platforms around content moderation, transparency in data use, and accountability. Citizens are placed at the centre — sellers, content moderation decisions, algorithmic recommendations, and platform mechanics are all expected to become more legible to users.
The DMA, by contrast, targets competition. Its aim is to ensure large online platforms do not engage in anti-competitive or unfair behaviour — regulating how gatekeepers relate to smaller competitors and to consumers in the digital marketplace.
Together, the two laws are intended to set new standards for both businesses and consumers across the EU.
Thierry Breton, Commissioner for the Internal Market, put it this way during the official press release:
"We are finally building a single digital market, the most important one in the 'free world'. The same predictable rules will apply, everywhere in the EU, for our 450 million citizens, bringing everyone a safer and fairer digital space."
When Do the DMA and DSA Come Into Force?
The European Parliament and the Council of EU Member States reached a political agreement on the DMA on March 24, 2022. That agreement effectively ended the legislative debate on digital markets competition that had been ongoing for over a year.
At that point, the laws were being finalized and translated, pending formal adoption by the European Parliament and Council. Following adoption, both laws are to be published in the EU's Official Journal.
Both laws take effect 20 days after publication. However, neither applies in full immediately: the DSA applies after fifteen months from publication or from January 1, 2024, whichever is later; the DMA allows only a 6-month grace period before its obligations kick in.
The European Commission expected formal adoption to occur in fall 2022.
What Do the DMA and DSA Mean for AdTech and Walled Gardens?
Impact on the Walled Gardens
The DMA's heaviest impact falls on the largest platforms: Google, Apple, Meta, and Amazon.
These companies will be classified as "gatekeepers" — defined as platforms with a market capitalization exceeding €75 billion and at least 45 million monthly active EU users.
Only gatekeepers are subject to the DMA's full set of obligations, though the European Commission retains the power to extend those obligations in the future. Platforms will also be required to publish biannual reports on their content moderation efforts.
Beyond limiting monopolistic conduct, the DMA introduces additional implications worth examining.
A key requirement is that large tech companies must interoperate with smaller platforms. This creates some genuine tensions.
WhatsApp, which has more than 45 million EU users and relies on end-to-end encryption, could see its users' security undermined if forced to integrate with platforms that have weaker security protocols. As long as WhatsApp controls its own protocols, it can maintain user privacy. That assurance disappears when integration with other providers — including Signal, Telegram, or others — is mandated. The Electronic Frontier Foundation published a white paper examining precisely these concerns: The EU Digital Markets Act's Interoperability Rule Addresses An Important Need, But Raises Difficult Security Problems for Encrypted Messaging.
There is also a commercial angle. Smaller messaging providers may not actually want to interoperate with platforms like WhatsApp, since doing so could erode their own revenue base.
Julia Weiss, spokesperson for the German messaging app Threema, described the dynamic to Wired magazine:
"If existing users of free messenger A with bad privacy practices could communicate with users of privacy-conscious paid messenger B, they will not pay money for messenger B, effectively depriving it of its only source of revenue."
On the competitiveness side, the DMA's obligations are concrete. To comply:
- Google must provide alternatives to its search engine, Maps, and Chrome browser within the Android operating system.
- Apple must enable third-party payment options in the App Store as an alternative to its own payment system.
- WhatsApp must allow its users to communicate with people using rival messaging applications.
This should, in principle, open the door for competing services that currently rely on Big Tech's infrastructure, preventing them from being blocked or disadvantaged.
How Will the DSA and DMA Affect AdTech Companies?
The impact on AdTech companies will be less severe than for the walled gardens, but it is not negligible. Several provisions directly apply:
AdTech companies will not be permitted to target minors. Profiling and targeting young people with advertising is prohibited under all circumstances. Companies caught using minors' personal data face penalties.
Sensitive data is permanently excluded as a targeting criterion across the entire advertising ecosystem. The new laws complement existing regulations such as the GDPR: ad agencies, AdTech platforms, advertisers, and publishers will not be able to serve ads based on ethnicity, political views, sexual orientation, or comparable sensitive attributes. Gender and gender identity are the one area where the specification remains incomplete in the current text.
Ad labelling for digital platforms and ad repositories for Very Large Online Platforms (VLOPs). The DSA requires all digital platforms to place a clear label on ad creatives indicating who is running the ad and the targeting criteria used. VLOPs must build a publicly accessible repository (available via API) containing: the ads users were exposed to, sponsor information, targeting parameters, and total exposure counts.
Dark patterns will be banned. AdTech-oriented service providers must build processes and mechanisms that allow users to make genuinely informed decisions. Misleading information and dark patterns are prohibited.
How Will the DSA and DMA Affect Advertisers and Publishers?
As the two laws come into force, advertisers and publishers will need to adapt their data collection and utilization practices.
Like AdTech vendors, they will need to maintain strict awareness of what data they collect and how it is used. For some publishers — particularly those serving minority communities or LGBTQ+ audiences — the new rules will require a meaningful rethink of how they attract and retain audiences and promote products and services, since targeting based on sensitive attributes like sexual orientation will no longer be available.
More broadly, the shrinking of permissible targeting criteria will reduce the precision with which advertisers can reach intended audiences, prompting many to reconsider their marketing strategies and measurement approaches.