Can big marketplaces still favor their own products and lock sellers out?
The EU Digital Markets Act obligations for online marketplaces say no and force major operational changes.
Gatekeepers must give business users real-time access to platform data, open APIs for third-party tools, stop self-preferencing, and get explicit consent before combining cross-service personal data for ads.
Why it matters: revenue, visibility, and ad-targeting rules change fast for affected platforms.
This post explains the requirements, who qualifies, and the concrete compliance steps to start now.
Core Obligations for Online Marketplaces Under the DMA
The Digital Markets Act went live across the EU on May 2, 2023. Gatekeepers get six months from designation to make everything work.
If you’re running an online marketplace and hit gatekeeper status, you’ve got to give business users real-time access to their platform data. All of it. Transaction volumes, conversion rates, impressions, how customers engage with their listings. You can’t gate this stuff anymore.
Third-party apps and services need to be able to plug into your platform. Users should be able to uninstall pre-loaded software (unless yanking it would break core OS functions). Business users can link directly to their own offers outside your ecosystem, and you can’t penalize them for it. And here’s the big one: you can’t merge personal data from different services to build ad profiles unless each user explicitly agrees under GDPR rules.
Self-preferencing is dead. You can’t boost your own products over comparable third-party listings in search results or recommendations. Advertising transparency means you disclose every data source you use for targeting, plus you hand over verification tools so advertisers and publishers can check campaign numbers independently. Business users get to offer their own payment options and talk to their customers off-platform without your interference or jacked-up fees.
Getting compliant means building secure APIs that expose seller performance metrics. Publishing technical docs that third parties can actually use. Auditing your ranking algorithms to strip out favoritism. Rewriting terms of service to kill anti-steering language. You’ll need detailed logs of ranking choices, data shares, consent events. Regulators will ask for these during audits. Appoint compliance officers. Publish annual transparency reports.
Most important marketplace obligations under the DMA:
- Give business users real-time platform data access (impressions, clicks, conversions, sales).
- Ban self-preferencing in search rankings, recommendations, featured spots.
- Let business users link off-platform and use third-party payments.
- Disclose ad data sources and provide advertiser verification tools.
- Build and document APIs for third-party interoperability with secure auth.
- Get explicit consent before combining personal data across services for ads.
Gatekeeper Status and Marketplace Qualification Under the DMA
You’re a gatekeeper if you pull at least €7.5 billion annual EU turnover over the last three years, or you’re valued at €75 billion or more, and you operate in at least three EU member states. Plus you need 45 million monthly active EU end users and 10,000 yearly active EU business users.
Hit those numbers? The European Commission reviews your case and decides within 45 days of notification. Once you’re designated, you get six months to comply. Everything. No extensions.
Notification isn’t optional. Cross the thresholds, you’ve got two months to tell the Commission. They can also launch market investigations and designate you even if you don’t hit the numeric bars, if you control a bottleneck that business users can’t route around.
For marketplaces, you’re looking at “online intermediation services.” Basically, platforms that sit between business users and consumers to make transactions or relationships happen. If your marketplace fits the user counts, revenue marks, and plays a major intermediation role across multiple EU countries, expect designation.
Self-assess early. Appoint compliance leads now. Map your data flows. Inventory features that might look like self-preferencing. Don’t wait until the six-month clock starts ticking.
Data Access, Portability, and Advertising Transparency Requirements for Marketplace Operators
Gatekeepers have to give business users effective, timely access to all business-relevant data the platform generates. Transaction volumes, page views, search impressions, click-through rates, conversions, customer demographics (aggregated and anonymized per privacy law). Anything that helps a seller make smarter decisions.
Access has to be real-time or close to it. Secure APIs or downloadable dashboards. Structured formats like JSON or CSV. Granular enough for independent analysis and optimization. You can’t lock down how business users export or analyze their own data.
For advertising, you disclose which first-party and third-party data sources feed your targeting engine. You provide disaggregated performance reports. You offer verification interfaces so advertisers and publishers can independently measure impressions, clicks, conversions, reach.
Here’s where it gets strict: you can’t combine personal data from one core platform service with data from another service (or third-party sources) for targeted advertising or profiling unless the user gives explicit, freely given, granular consent under GDPR. Cross-service data aggregation for ads requires separate, clear opt-ins. Users can withdraw anytime.
| Data Requirement | Description | Enforcement Timing |
|---|---|---|
| Real-time business-user data access | Provide sellers with API or dashboard access to impressions, clicks, conversions, sales data in structured format (JSON/CSV) | Within 6 months of designation |
| Advertising transparency and verification | Disclose data sources used for ad targeting; provide third-party verification APIs for impression/click validation | Within 6 months of designation |
| Cross-service data aggregation limits | Prohibit combining personal data from different services for ads/profiling without explicit GDPR-compliant consent | Immediate upon designation |
| Data portability for consumers | Enable end users to export their personal data and transfer it to third-party services in a structured format | Within 6 months of designation |
Prohibited Marketplace Behaviors Under the DMA (Self-Preferencing, Bundling, Discrimination)
Self-preferencing is banned outright. You can’t rank your own products or services higher than third-party offerings in search results, product listings, recommendations, anywhere an algorithm makes placement decisions. If you run a private-label brand, it competes on the same ranking signals as every other seller. You can’t use non-public data from business users (detailed sales trends, customer feedback, supply-chain intel) to guide your own product development or pricing.
Tying and bundling are out. You can’t force business users or consumers to use one service to access another. No requiring sellers to buy your logistics, payments, or ads just to list products. Business users can promote alternative offers and close deals with their customers outside your platform. That includes linking directly to external checkout pages or other app stores. You can’t penalize them with higher commissions, reduced visibility, or account restrictions when they do this.
Discrimination rules enforce equal treatment. Apply the same terms, conditions, and technical access to all business users offering similar services. You can’t stop users from filing DMA complaints with regulators. Users can uninstall pre-installed apps and change default settings on operating systems, browsers, virtual assistants (unless removing something breaks system integrity or security).
Five key prohibited practices under the DMA:
- Ranking your own products or services above comparable third-party offerings in search or recommendation algorithms.
- Using non-public business-user data to compete against those users in product strategy, pricing, or market decisions.
- Requiring business users to use your payment processor, logistics, or advertising services as a condition of platform access.
- Preventing or penalizing business users who link off-platform or communicate directly with their customers.
- Combining personal data from multiple services for targeted ads or profiling without explicit, separate user consent.
Interoperability and API Requirements for Online Marketplaces
Gatekeepers publish detailed technical specs and terms that let third-party services plug into the core platform. API endpoints, authentication protocols, data formats, rate limits, error handling. All documented in machine-readable formats that developers can use without negotiating case by case.
For marketplaces, interoperability usually means letting third-party logistics providers, payment gateways, analytics tools, and inventory systems connect securely and access the data flows business users need.
The Commission can demand more if your initial efforts don’t cut it. Third-party integrations get the same technical performance, reliability, and support as your own first-party services. Use industry-standard auth (OAuth 2.0, OpenID Connect, equivalent). Include logging, monitoring, and support channels so third parties can troubleshoot integration problems fast.
API Documentation Requirements
Machine-readable API docs include endpoint URLs, request/response schemas (JSON or XML), authentication flows, example payloads, error codes, rate-limit policies. Version your docs. Keep them current. Provide sandbox environments where developers can test without touching live business-user data.
Access-control policies need to be transparent. Developers should know which scopes or permissions each operation requires. Process API access requests promptly, without discrimination. Offer technical support and developer forums for integration questions and bug fixes.
Third-Party Integration Standards
Interoperability applies to messaging-like services too. Gatekeepers provide secure gateways so third-party messaging providers can exchange messages with users on the gatekeeper’s platform.
For marketplaces, this means enabling third-party order management systems, CRM tools, and fulfillment platforms to read order data, update inventory, and push shipment statuses through documented APIs. Apply the same security, anti-abuse, and privacy controls to third-party integrations as you do to your own services. Don’t degrade quality, latency, or feature sets for external integrators.
The point is to kill technical lock-in. Business users should be able to build best-of-breed software stacks without being forced onto your proprietary tools.
DMA Enforcement, Penalties, and Marketplace Risk Exposure
First-time DMA violations can cost you up to 10 percent of total worldwide annual turnover. Repeat or systematic non-compliance? Up to 20 percent of global turnover. These penalties apply per infringement. Multiple violations in one enforcement action can trigger multiple fines.
The Commission can also impose periodic penalty payments. Daily fines that pile up until you comply, calculated as a percentage of average daily worldwide turnover, up to around 5 percent per day.
Financial penalties aren’t the only risk. For persistent, systematic violations that fines don’t fix, the Commission can order structural and behavioral remedies. Divest business units. Stop certain commercial practices. Implement specific technical measures under ongoing regulatory supervision.
The Commission can launch market investigations to see if new obligations should apply to you or if emerging practices dodge existing rules. Audits and investigations mean you produce ranking algorithm logs, data-sharing records, consent-flow documentation, evidence of non-discriminatory treatment. Keep these records organized. You’ll need to respond to regulatory requests fast.
Summary of DMA penalties and enforcement actions:
- First-time infringement fines up to 10% of total worldwide annual turnover.
- Repeat or systematic violations fined up to 20% of global turnover.
- Periodic penalty payments (daily fines) up to around 5% of average daily turnover until compliance.
- Structural remedies including divestiture or operational restrictions for persistent non-compliance.
Practical DMA Compliance Roadmap for Marketplace Operators
Start with a fast threshold check. Within the first month, figure out if your marketplace hits gatekeeper criteria. €7.5 billion EU turnover or €75 billion valuation, operating in at least three EU states, 45 million monthly EU end users, 10,000 yearly EU business users.
Appoint a DMA compliance lead with authority over product, engineering, legal, and data teams. Inventory all core platform services. Map personal and business data flows across those services. Flag features that could look like self-preferencing: featured placements, private-label product rankings, bundled services, restrictions on off-platform linking.
Between months three and six, build the technical infrastructure for compliance. Develop APIs and dashboards that give business users real-time access to transaction data, conversion metrics, ad performance. Update terms of service and developer agreements to explicitly allow alternative payment processors, third-party logistics integrations, direct off-platform customer communication.
Audit your ranking and recommendation algorithms. Strip out any preferential treatment of first-party products. Document the signals and weights you use so you can prove non-discriminatory treatment during regulatory review. Set up GDPR-compliant consent mechanisms for any cross-service data aggregation in ad targeting. Make consent requests granular, clear, easy to withdraw.
From months six to twelve, deploy interoperability endpoints. Secure APIs with published technical specs, authentication flows, machine-readable docs. Build logging and audit-trail systems that capture ranking decisions, data-sharing events, user consent timestamps. Run third-party penetration testing on new APIs to validate security.
Publish your first transparency report covering compliance measures, data-access stats, enforcement interactions. Set up ongoing monitoring with defined SLOs, KPIs, and automated alerts for anomalies that could signal non-compliance (unexpected ranking bias, API downtime affecting third-party integrations).
Six-step DMA compliance roadmap for marketplace operators:
- Month 0–1: Run threshold self-assessment, appoint compliance lead, inventory core platform services, map data flows.
- Month 1–3: Identify self-preferencing risks, audit ranking algorithms, document current business-user data access.
- Month 3–6: Build business-user data APIs and dashboards, update terms to allow alternative payments and off-platform linking, implement consent flows for cross-service data use.
- Month 6–9: Deploy interoperability APIs with published specs, complete ranking algorithm transparency docs, establish audit-trail logging.
- Month 9–12: Run third-party security testing, publish transparency report, train support teams on DMA obligations, update commercial contracts with business users.
- Ongoing: Monitor API SLOs, handle DMA-related complaints, coordinate with legal and RegTech for Commission reporting, update systems as Commission guidance evolves.
Final Words
We ran through the DMA’s practical rules: real-time data access for sellers, required APIs and interoperability, ad transparency and consent limits, bans on self-preferencing, and the right to link off-platform or uninstall defaults.
We also covered gatekeeper thresholds, enforcement powers and fines, plus a step-by-step compliance roadmap that shows what to log, what to build, and when.
Treat EU Digital Markets Act obligations for online marketplaces as an operations project: prioritize the highest-risk fixes, document everything, and you’ll lower regulatory risk while staying competitive.
FAQ
Q: What are the core DMA obligations for online marketplaces?
A: The core DMA obligations for online marketplaces require real-time business-user data access, third-party interoperability, a ban on self-preferencing, uninstallable defaults, off-platform linking, and GDPR-compliant consent for personal data combining.
Q: Who qualifies as a gatekeeper under the DMA?
A: A gatekeeper under the DMA is a platform meeting thresholds: €7.5B EU turnover (last 3 years) or €75B valuation, active in at least 3 EU states, ≥45M monthly EU end users, and ≥10,000 yearly EU business users.
Q: What is the designation and compliance timeline under the DMA?
A: The designation and compliance timeline under the DMA gives the Commission 45 days to decide after notification and a 6-month compliance window from designation for gatekeepers to meet obligations.
Q: What data access and portability rules must marketplaces follow?
A: The data access and portability rules require real-time, machine-readable data exports to business users, ad verification data for advertisers, and tools for user-controlled data portability and secure exports.
Q: How does the DMA change advertising transparency and limits on combining personal data?
A: The DMA requires advertisers and publishers be given verification data and forbids combining personal data across services without explicit, GDPR-compliant consent, reducing opaque profiling and mixed ad-targeting.
Q: What marketplace behaviors are prohibited under the DMA?
A: The DMA prohibits self-preferencing, using non-public seller data for advantage, restricting off-platform offers, tying or bundling services, blocking third-party payments, and preventing uninstalling default apps.
Q: What interoperability and API requirements do marketplaces need to meet?
A: The interoperability and API requirements force gatekeepers to publish technical specs and T&Cs, provide secure machine-readable APIs for third-party integrations, and support messaging-like service interoperability.
Q: What must API documentation include under the DMA?
A: API documentation must include machine-readable formats, clear authentication methods, role-based access controls, rate limits, data schemas, error codes, and published terms for third-party use.
Q: What standards apply to third‑party integration and openness?
A: Third-party integration standards expect open, non-discriminatory access, documented interfaces, secure data transfer standards, and timely technical support to enable equivalent functionality for external apps.
Q: What penalties and enforcement can the European Commission impose for DMA breaches?
A: The Commission can fine up to 10% of global turnover, 20% for repeat breaches, impose periodic penalties up to 5% of average daily revenue, and order structural remedies or market investigations.
Q: What records and logs must marketplaces keep for DMA audits?
A: Marketplaces must retain ranking logs, data-sharing records, API access logs, consent records, transparency reports, and compliance documentation to support audits and investigations.
Q: How should marketplaces start a DMA compliance roadmap?
A: To start a DMA compliance roadmap, assess thresholds, appoint a compliance lead, map data flows, audit rankings, and plan APIs, consent flows, and logging within the first 3 months.
Q: What immediate actions are required in the first 3 months of compliance?
A: In the first 3 months, immediate actions are threshold verification, appointing a compliance lead, starting ranking audits, mapping APIs, updating privacy notices, and logging current access patterns.