Analysis: EU's DMA May Create Security Risks

The Digital Markets Act's requirement for "gatekeepers" to provide third parties with effective interoperability with hardware and software features is a core point of contention. Specifically, Article 6(7) of the DMA mandates this access, forcing the opening of internal functions that were not originally designed for such broad external interaction, thereby disrupting established security models. This has led to a direct conflict with other EU regulations, such as the General Data Protection Regulation (GDPR) and the Cyber Resilience Act (CRA), which impose strict data protection and security requirements. Cybersecurity experts warn that these interoperability mandates expand the attack surface for major platforms, creating new entry points for malicious actors. The concern is that forcing access to sensitive data and system APIs could expose users to increased risks of malware, fraud, and scams. Forcing unregulated external links, as potentially required by Article 5(4), could allow attackers to bypass critical security controls that vet for phishing and malware. In response to the DMA, Apple has introduced new safeguards for its EU operations, including a notarization process for iOS apps from alternative marketplaces and an authorization system for marketplace developers. However, the company maintains that even with these measures, significant risks remain, and its ability to protect users from malicious apps is compromised. Apple has stated that the DMA's requirements have created new avenues for malware and illicit content, and have weakened its capacity to take action against them. Apple has formally communicated to the European Commission that the law is slowing down innovation and weakening privacy for its users in the EU. The company has had to delay the rollout of new features like iPhone Mirroring and advanced Maps functionalities in the European Union because the DMA requires them to be engineered to work with non-Apple platforms first. This has led to a situation where the experience for users on Apple products in the EU may lag behind that of users in other regions. The push for interoperability also raises significant technical challenges for maintaining end-to-end encryption in messaging services. Security experts argue that forcing services like iMessage or WhatsApp to be interoperable with others increases their technical complexity and may inherently make them less secure, forcing users to place more trust in a wider array of service providers. The DMA does include a provision that the level of security, including encryption, must be preserved, but experts question if this is technically feasible without creating unacceptable trade-offs. The European Commission has begun enforcement actions, opening investigations into several gatekeepers, including Apple, for non-compliance with various aspects of the DMA. In April 2025, Apple was fined €500 million for breaching the DMA's anti-steering rules that prevented app developers from informing users about alternative purchasing options outside the App Store. This enforcement action underscores the tension between the DMA's pro-competition goals and the gatekeepers' arguments about maintaining a secure and integrated ecosystem.