These decisions are not isolated enforcement actions. They are the first returns on a regulatory framework that took years to build and was always designed to produce exactly this kind of outcome: binding decisions, significant financial penalties, and precedents that will shape how digital platforms operate in the EU for the foreseeable future.
- The DMA's first fines — €500m against Apple for Article 5(4) anti-steering and €200m against Meta for the Article 5(2) data-combination prohibition — confirm the Commission enforces the DMA's per se obligations with material penalties, not advisory guidance.
- The Meta decision's holding that a binary "pay or consent" choice is not freely given consent reaches well beyond Meta, exposing any platform that uses consent-based data processing as a structural element of its business model.
- DSA enforcement is now multi-front: TikTok's Article 39 advertising-repository shortfall, Germany's Bundesnetzagentur processing 1,700+ complaints and designating four Trusted Flaggers, and DSA standards entering German civil courts (OLG Bamberg, OLG Frankfurt).
- The Article 13 DSA duty to appoint an EU legal representative — and the DSA's tiered obligations — bind all non-EU intermediary providers with EU users, not only VLOPs, so mid-sized platforms cannot treat enforcement as a big-tech-only concern.
§ ILatest enforcement developments
§ IIWhat the decisions actually establish — and why they matter beyond the headlines
The April 2025 Apple and Meta decisions mark a genuine inflection point. The DMA had been in force since March 2024, and some observers questioned whether the Commission would move quickly enough to give the regulation credibility before political resistance softened its enforcement posture. The decisions answer that question, at least for now.
The Apple case turns on the anti-steering obligation in Article 5(4) DMA. Gatekeepers operating app distribution platforms may not restrict developers from directing users to pricing alternatives outside the platform. Apple's rules had the practical effect of preventing developers from informing users that the same digital purchase was available more cheaply elsewhere. The Commission treated this as a structural distortion — one that systematically advantages the gatekeeper's own commercial ecosystem.
The Meta decision engages Article 5(2) DMA, which prohibits gatekeepers from combining personal data across their core platform services without adequate legal basis. Meta's "pay or consent" framework was found to fail this standard. The reasoning is significant: the Commission held that a binary commercial choice does not constitute freely given consent.
The TikTok advertising transparency finding, though still preliminary, is instructive for a different reason. It concerns a specific technical obligation — the requirement under Article 39 DSA to maintain a publicly accessible advertising repository with information on ad sponsors, targeting parameters, and display periods. The Commission's preliminary view is that TikTok's repository lacks sufficient detail for researchers and civil society to detect coordinated disinformation and fraud — precisely the public oversight function Article 39 was designed to enable.
§ IIIUnderstanding the regulatory architecture: DSA and DMA together
The Digital Services Act
The DSA establishes a tiered compliance framework for all providers of intermediary services with a connection to the EU market. The tier a company falls into determines the density of its obligations — but every tier carries substantive duties.
Intermediary services. Broadest category. Conduit, caching, hosting. Conditional liability immunity and baseline transparency obligations apply.
Online platforms. Store and disseminate user-facing content. Notice-and-action mechanisms, complaint systems, recommender transparency, dark pattern prohibition.
Online marketplaces. Facilitate consumer-to-business transactions. Additional "Know Your Business Customer" traceability obligations for sellers.
VLOPs / VLOSEs. >45m monthly active EU users. Systemic risk assessments, independent audits, researcher data access, crisis response protocols.
One structural element of the DSA now generating tangible enforcement activity is the Trusted Flagger system under Article 22. Formally recognised entities — organisations with demonstrated expertise and independence — whose reports of allegedly unlawful content to platforms must be processed with priority. Germany's Bundesnetzagentur has now recognised four such entities. A platform that has not assessed whether its content moderation infrastructure distinguishes between ordinary notices and Trusted Flagger submissions is already out of step with its obligations.
The liability framework in Articles 4 through 6 DSA is also working its way into German courts. The OLG Bamberg became the first German appellate court to engage directly with the Article 25 dark patterns prohibition in a ticket platform case. The OLG Frankfurt addressed platform liability for deepfake content. The DSA is no longer only a regulatory instrument — it is being integrated into civil litigation.
The Digital Markets Act
The DMA operates through a designation mechanism. The Commission identifies specific companies as "gatekeepers" for specific core platform services — covering social networks, app stores, operating systems, search engines, advertising services, and intermediation services. Designation brings a non-negotiable set of behavioral obligations and prohibitions. Some are per se rules: the anti-steering prohibition, the data combination prohibition, the self-preferencing ban. Others require specification through Commission proceedings before their precise technical scope becomes clear.
The Commission has shown that it applies gatekeeper thresholds with genuine interpretive flexibility: confirming ByteDance's designation despite multi-homing arguments; declining to designate X after finding insufficient ecosystem lock-in; and revoking Facebook Marketplace's designation when Meta demonstrated the threshold was no longer met — the first revocation in DMA history.
§ IVEnforcement under political pressure: the transatlantic dimension
Any analysis of current DSA and DMA enforcement that ignores the transatlantic political context would be incomplete. The current US administration has characterised European digital regulation as economically discriminatory — noting, accurately, that almost all designated gatekeepers are US-headquartered companies. Tariff negotiations have been accompanied by public statements and reportedly private pressure regarding specific enforcement proceedings. Reports emerged that at least one Commission investigation involving a US platform was paused in the context of trade discussions.
The April 2025 decisions against Apple and Meta nonetheless went ahead with substantial fines. The Commission has consistently maintained that the DMA's application follows from market position, not national origin. That position is legally correct — but the political environment adds genuine uncertainty that companies should factor into their planning, without treating it as a reason to defer engagement with legal obligations. Political negotiations do not pause enforcement timelines.
§ VPenalty exposure: what is actually at stake
Beyond financial penalties, the Commission can impose interim measures, require structural remedies, and restrict market access in cases of persistent non-compliance. In the DMA context, systematic infringement may result in a prohibition on acquisitions in the relevant sector. Apple has already announced it will contest the €500 million fine — initiating what is likely to be prolonged litigation whose outcomes will shape DMA interpretation for all gatekeeper-designated companies.
§ VIWhat this means for companies that have not yet engaged
The enforcement activity to date has concentrated on the largest and most visible platforms. This has encouraged a false sense of distance among smaller and mid-sized technology companies operating in the EU market. That distance is largely illusory.
The DSA's obligations apply to any provider of intermediary services to EU users, regardless of company size or establishment. The Article 13 requirement to designate a legal representative within the EU applies to all non-EU providers — not only VLOPs. National DSCs are operational, receiving and processing complaints, and building enforcement capacity rapidly. And courts — as the OLG Bamberg case illustrates — are applying DSA standards in civil proceedings independently of any regulatory action.
A structured compliance assessment for companies at an early stage of EU digital law engagement typically covers:
- Establishing which DSA tier applies — a CDN operator, a SaaS provider, and a consumer marketplace face materially different compliance profiles even though all may qualify as intermediary services
- Determining whether the Article 13 legal representative requirement is triggered and establishing that representation with appropriate contractual risk allocation
- Reviewing notice-and-action processes, internal complaint mechanisms, and terms-of-service language against the DSA's specific procedural and transparency requirements
- For larger platforms: conducting the systemic risk assessments required under Article 34 DSA and establishing audit-ready documentation of resulting mitigation measures
- Reviewing advertising and recommender system transparency disclosures — including, where applicable, the Article 39 advertising repository requirement now subject to the TikTok proceedings
- Mapping DSA obligations against existing GDPR compliance structures, since content moderation and advertising systems frequently engage both frameworks simultaneously
The enforcement record of spring 2025 confirms what the regulatory text always indicated: the DSA and DMA are designed to produce binding outcomes, not advisory guidance. Companies that engage with their obligations now, before a complaint or proceeding forces the question, are in a materially better position than those that wait.
This article is provided for general informational purposes only and does not constitute legal advice. References to enforcement proceedings reflect publicly available information as of the date of publication. Individual compliance questions require tailored legal analysis. © 2025 Kanzlei Theo Funk, Bamberg.
Kanzlei Theo Funk — EU digital law counsel for US technology companies
This firm advises US-based technology companies on DSA and DMA compliance: scope and tier assessments, Article 13 legal representative services under the DSA, regulatory correspondence support, and ongoing compliance counsel as the enforcement landscape develops. If your company has EU users and has not yet assessed its position under the DSA, now is the right time.
Get in touch →