Executive summary
Interoperability sounds like an engineering concern, but it is one of the most consequential questions in modern competition policy. Consider two familiar situations. A consumer who pairs Samsung Galaxy Buds with an iPhone may find that some of the features available with AirPods are not replicated to the same extent across ecosystems; and a Signal user in Europe cannot exchange messages with a contact on WhatsApp, despite both services performing the same function. In each case, the user is trapped inside the gatekeeper’s walled garden and switching costs unrelated to product quality sustain the incumbent’s market position.
This is why interoperability matters: where it is foreclosed, incumbency advantages compound in ways that resist competitive correction even when challengers offer superior products. The EU responded with the Digital Markets Act (DMA), which through Articles 6(7) and 7 imposes vertical and horizontal interoperability obligations on designated gatekeepers.
This regulatory intervention is layered on top of interoperability that gatekeepers already offer voluntarily through exposed APIs and developer programmes, and in some cases through formal request-based processes administered by the platforms themselves. The DMA’s distinctive contribution is not the invention of interoperability in digital ecosystems, which largely preceded it, but the imposition of ex-ante obligations on designated gatekeepers to provide interoperability at the points where market incentives alone have failed to deliver it. It is the most ambitious ex-ante regime enacted anywhere. Yet ambition does not equal coherence.
Interoperability regulation must simultaneously serve three objectives that do not pull uniformly in the same direction: market contestability (reducing lock-in and switching costs); innovation incentives (preserving the appropriability conditions that justify platform investment); and security (protecting closed ecosystems from the attack surfaces that third-party access can create). This is the contestability-innovation-security trilemma, and no architecture resolves it without remainder. The question is whether the DMA navigates the trade-offs intelligently. Three years into implementation, the answer is that it does not.
The DMA’s primary-level obligations are simultaneously over-inclusive in scope and underdetermined in normative content: they apply uniformly to every designated gatekeeper without calibration to proved need, while failing to specify the outcome criteria against which compliance should be judged. The result is a structural risk of compliance minimalism at gatekeeper level and, in reaction, a Commission drawn towards prescriptive-in-means implementing acts that risk crystallising specific technical architectures into binding law.
The March 2025 Apple specification decision illustrates the vertical dimension: the Commission identified nine specific iOS features that Apple must open to third parties and also prescribed in detail how Apple should run the process it had established in January 2024 through which developers can request access to other features. The concern is that, by fixing today’s technical choices in a binding legal decision, the regime may leave little room for those choices to evolve as the underlying technology changes. The November 2025 WhatsApp launch illustrates the horizontal one: Meta shaped the interoperable architecture around its own infrastructure, while Signal and Threema –the services most committed to privacy-preserving design– were structurally excluded. The security derogation meant to prevent this outcome delivered its inverse.
The UK and Japan have made architecturally distinct choices within the same policy window. The UK’s Digital Markets, Competition and Consumers Act relies on a collaborative, firm-specific conduct-requirement process, with proportionality embedded upstream and technological neutrality preserved throughout. Japan is a particularly instructive case: its Mobile Software Competition Act drew openly on the DMA as a template, yet departed from it on the points that have proved most problematic, adopting a functional equivalence standard and commitment procedures that soften the reactive character of regulatory intervention. Neither regime achieves full coherence, but both illuminate trade-offs the DMA has not.
Three reforms follow. First, Articles 6(7) and 7 should be reformulated to specify outcome criteria –timeliness, technical completeness and absence of unjustified conditions– without prescribing technical means. Secondly, interoperability should be activated on a demand-driven basis, through the gatekeeper’s own request process, with prescriptive regulatory specification reserved as a residual mechanism where that process demonstrably fails to deliver. And, third, an independent European digital authority should be entrusted with monitoring outcome criteria, evaluating security claims with genuine technical expertise, and insulating enforcement from the geopolitical pressures the Commission cannot structurally resist.
The DMA review cycle, and the jurisdictions now using its architecture as a template, offer a time-limited opportunity to internalise these lessons before they harden into a second generation of frameworks. This Policy Paper develops the diagnosis in full, grounds it in the implementation record of the DMA’s interoperability regime, compares it against the regulatory architectures of the UK and Japan, and sets out the three reforms in detail.
Image: Skyscrapers on the background of the EU flag. Photo: Anton Petrus / Getty Images.
