Is the digital reality about to change in favour of startups and small and medium-sized companies?

[Reading time: 10-15 minutes]

16 November 2023 was the last day to challenge ‘gatekeeper’ designation decisions, which have been made under the Digital Markets Act (‘DMA’) by the European Commission on 6 September 2023. Among six Big Tech giants (Amazon, Apple, ByteDance (TikTok), Meta, Alphabet Inc. and Microsoft) with twenty two core platform services falling under their ‘gatekeeper’ banner, three of them decided to appeal: Meta in relation to Meta Marketplace and Messenger services, TikTok and Apple. Besides that, the European Commission is currently investigating additional services like Microsoft’s Bing, Edge, and Apple’s iMessage to determine their ultimate DMA classification. Following their final designation, gatekeepers have time until 6 March 2024 to comply with the full list of do’s and don’ts under the DMA, offering more choice and more freedom to their users.

At the same time, businesses have been given time until February 2024 to comply with new requirements stemming from the Digital Services Act (‘DSA’), the second cornerstone of the EU Digital Services Package (‘DSP’). While the DMA aims to provide fair and contestable digital markets, the DSA focuses on ensuring online safety, transparency and protecting fundamental rights. Both the DMA and the DSA are designed to serve as an exhaustive code for the provision of services online.

The DMA supports smaller businesses by enabling them to compete equally with gatekeepers. Moreover, as described below, digital market actors can actively participate in DMA enforcement. At the same time, however, they also need to seek DSA-compliant solutions, which success depends on factors such as online business type, size, and target users. Therefore, start-ups and small to medium-sized entrepreneurs face the need for analysis of the new legal framework, the same as much bigger players do. Below we highlight the most important duties coming from DSP, describe harsh consequences of non-compliance and examine how start-ups and SME’s such businesses can fully benefit from the legal developments that are intended to order the internet in a pioneering manner.

Digital Markets Act


The DMA aims to ensure a fair and competitive digital economy, and to this end, it is designed by its very nature to control the largest participants on the Internet by imposing stricter rules on them. Therefore, the DMA concerns only platforms that are identified as ‘gatekeepers’ in relation to one or more ‘core platform services’ (CPS).

CPS are listed as online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communications services, operating systems, web browsers, virtual assistants, cloud computing services, and online advertising services. Importantly, the DMA rules apply where CPS are offered or provided to businesses or end-users in the EU. This is regardless of the place of establishment or residence of the gatekeepers.

Consequently, the designation of gatekeepers is a nodal point of the DMA. Without getting into too much detail, both quantitative and qualitative criteria are taken into account when assessing who is a gatekeeper and the final decision in that scope rests with the European Commission. In the designation decision, the European Commission indicates which CPS serve as an important gateway for business users to reach end-users. With respect to each of these CPS, the gatekeepers have to comply with all of the dos and don’ts laid down in the DMA. Adherence to those obligations must persist until the European Commission withdraws the gatekeeper status, with the Commission obliged to reevaluate the designations at a minimum of once every three years.

Dos and don’ts

Primarily, the gatekeepers are required to:

  1. enable end users to uninstall pre-installed apps or change default settings that link to the gatekeeper’s services and offer selection screens for key services;
  2. enable end users to install apps from other developers or app stores that work with the gatekeeper’s operating system;
  3. allow end users to opt out of the gatekeeper’s CPS as easily as they signed up for it;
  4. allow third parties to interact with the gatekeeper’s services;
  5. provide companies advertising on the platform with access to the gatekeeper’s performance measurement tools and information necessary for them to conduct their independent operations;

and are prohibited from:

  1. using businesses’ user data when the gatekeeper compete with them on gatekeeper’s platform;
  2. classifying their products or services more favourably compared to those of third parties;
  3. requiring app developers to use certain gatekeepers’ services (such as payment systems or identity verification) to appear in the gatekeeper’s app stores;
  4. tracking end users outside of the gatekeeper’s main platform service for profiled advertising without having acquired effective consent.

Additionally, gatekeepers offering messenger services must follow specific rules to ensure that basic features can work with other providers’ services. This requirement comes into play when other providers ask for access to a service and follows a step-by-step plan. For instance, simple features like text messages between two users must be ready to work as soon as the DMA is in effect. More complex features like group text messages need to be ready within two years, while advanced functionalities like audio and video calls between individual users or groups must be ready within four years from the designation decision.

Harsh sanctions for non-compliance

The European Commission will be the sole enforcer of the DMA. Gatekeepers who do not comply with the above-listed obligations can be fined up to 10% of their annual worldwide turnover. Moreover, the European Commission may impose a fine of up to 20% of worldwide turnover for repeat offences. Where gatekeepers consistently do not follow the DMA (meaning they break the rules at least three times in eight years), the European Commission can launch an investigation against particular gatekeeper (similar to this conducted under EU antitrust rules) and then enforce behavioural or structural remedies, if needed, or even temporarily ban gatekeeper from entering into future transactions.

Strengthening of smaller business market position

All of the above obligations apply only to gatekeepers, so their smaller competitors not only don’t have to worry about their operations’ compliance with the DMA but can expect a significant strengthening of their market position vis-à-vis gatekeepers. It is believed that the new rules will (i) allow businesses to have access to more information on how their products or services are performing on third-party platforms, helping them better understand their market, consumers, and competitors; (ii) combat unfair rankings of gatekeepers’ services and products compared to those offered by other businesses on the same platform; (iii) support businesses in attracting consumers who can no longer be locked in by gatekeeper platforms; and (iv) reduce barriers to entry on digital markets by promoting interoperability and data portability. All those factors lead to the overarching goal of the DMA – levelling the playing field in digital markets by opening up new opportunities for smaller businesses, who thereby will be able to innovate and compete against gatekeepers’ services on equal terms.

Although the European Commission has exclusive authority for enforcing the DMA, smaller competitors of gatekeepers can actively participate in achieving the DMA postulates by employing two instruments. Firstly, the DMA establishes clear complaint mechanisms, enabling any third party, including business users, competitors, or end-users of the CPS to address any unfair practices or anti-competitive conduct by gatekeepers. This provides smaller businesses with a platform to voice their concerns directly to the European Commission. Secondly, given the DMA is directly applicable in the EU Member States, it is possible to enforce the DMA obligations in national courts, including through private damages actions subject to national legislation.

Digital Services Act

Regulatory approach

Unlike the case of DMA, the scope of the DSA application is much wider and depends on multipolar classification rather than bipolar (gatekeeper/non-gatekeeper). Distinct responsibilities have been placed on various businesses based on their intermediary service type, scale, and influence. These duties are aimed to ensure that digital business services are provided in responsible manner and are not misused for unlawful activities. Specific obligations apply primarily to very large online platforms and very large online search engines, commonly known as VLOPs and VLOSEs, whereas very small platforms are largely exempt from the majority of their obligations. By adjusting the allocation of responsibilities within the online ecosystem according to platform size, the DSA guarantees proportionality of the regulatory burdens.

Four layers of digital businesses and their obligations

With those proportioned legal obligations, the DSA covers four layers:

  1. Intermediary services offering network infrastructure, internet access providers, and domain name registrars must (i) establish two single points of contact, one for the recipients of the services and another to facilitate direct communication with the supervisory authorities, while providers not established in the EU but offering services in the EU will be required to designate a legal representative in the EU; (ii) explicitly and unambiguously describe in their terms and conditions any restrictions that they may impose on the use of their services, such as the content moderation policies, and to act responsibly in applying and enforcing those restrictions; (iii) for services aimed at minors, provide an explanation on the conditions and restrictions of use in a way that is understandable to minors; and (iv) publish an annual report on content moderation.
  2. Hosting services such as cloud and web hosting services must (i) comply with all layer one obligations; (ii) implement a mechanism that allows third parties to notify the presence of allegedly illegal content; (iii) inform the person who filed a notification of the decision taken based on the notification and the available redress mechanisms; (iv) provide a statement of reasons to the relevant user if a provider decides to remove information or suspend or terminate the provision of the services; and (v) inform the national authorities of any information giving rise to suspicions of serious criminal offences.
  3. Online platforms such as online marketplaces, app stores, collaborative economy platforms, and social media platforms must: (i) comply with all layer one and two obligations; (ii) publish the average monthly active recipients in the last six months on their online interface; (iii) treat notices filed by trusted flaggers (independent entities that have particular expertise in detecting illegal content) with priority; (iv) design their online interfaces in a way that enables users to make free and informed decisions (ban on the so-called dark patterns); (v) provide a high level of privacy, safety, and security for minors, including a prohibition on presenting them advertising based on profiling; (vi) set out in T&C the main parameters used in their recommender systems to suggest or rank the information presented to users; and (vii) arrange a certified out-of-court mediation mechanism for decisions concerning content moderation.
  4. Very large online platforms and very large online search engines, ie online platforms reaching at least 45 million active users in the EU, on top of all the above-listed requirements must adopt the most aggravated measures such as undergoing an annual independent audit into the DSA compliance, establishing a public repository on the online advertisements displayed in the past year, or providing to the competent authorities access to the data necessary to monitor the fulfilment of the DSA obligations. Last but not least, VLOPs and VLOSEs have to address any systemic risk stemming from the use of their platforms by effective and tailor-made mitigation measures, whereas the definition of systemic risk is extensive and includes almost any collective threat, eg illegal content, hate speech, privacy breaches, or election interference.

Additionally, with the exception of those employing fewer than 50 individuals or generating annual revenues below 10 million euros, all platforms are also obliged to: (i) set up complaint and redress mechanisms; (ii) cooperate with so-called trusted flaggers; (iii) take measures against abusive notices; (iv) deal with complaints; (v) include the credentials of third-party suppliers; (vi) provide user-friendly and transparent online advertising.

Positive implications for smaller business

It is reasonable to assume that enforcing obligations stemming from the DSA will improve digital platforms’ transparency in content moderation, traceability and verifiability of traders, as well as reduce the manipulative design of online space and sensitive ad tracking. It brings twofold implications for smaller businesses.

On the one hand, smaller businesses must take action to adopt a well-designed platform interface, easy-to-use mechanisms for abusive notice, complaint and redress, and a streamlined set of processes regarding transparent reporting of content moderation. Moreover, they need to rearrange personal data collection policies and the use of cookies. Ultimately, the DSA will have a profound impact on the effectiveness of online campaigns. On the other hand, smaller businesses will also benefit from this new set of rules as well. They will be provided with user-friendly and efficient tools to report unlawful activities that harm their trade, eg intellectual property rights infringements. Additionally, they will have access to both internal and external redress mechanisms, which will enhance their safeguards against unjust content removal by VLOPs and VLOSEs and in turn, contribute to minimizing losses. Finally, the DSA rules are uniform in the entire Union, facilitating cross-border operations.


The DMA gives a clear advantage to smaller businesses. By levelling the playing field in digital markets, it allows for competing with gatekeepers on equal terms. Moreover, smaller competitors can contribute to the DMA enforcement by voicing their concerns regarding the practices of gatekeepers directly to the European Commission or taking private damages actions in EU Member States.

At the same time, while searching for DSA-compliant solutions, it is important to acknowledge that there is not just one single way for proper adherence. Specific factors like the type and model of online business, the size of operations, and the targeted users should be taken into account when determining compliance steps to be implemented.

Should you require any assistance with getting your business prepared for the Digital Services Package, we would be happy to help. Do not hesitate to contact us either by e-mail or phone.