Enforcement Briefing · DMA & DSA

Apple Fined €500m, Meta €200m — Europe's Digital Rulebook Is Now Enforcing.

The EU's Digital Markets Act has issued its first formal sanctions, TikTok faces preliminary findings under the Digital Services Act, and national regulators are processing thousands of complaints. Here is what happened — and what it means.

Published June 2025
Reading time 11 minutes
Author Theo Funk, Rechtsanwalt
Scope DMA Art. 5 · DSA Art. 39

These decisions are not isolated enforcement actions. They are the first returns on a regulatory framework that took years to build and was always designed to produce exactly this kind of outcome: binding decisions, significant financial penalties, and precedents that will shape how digital platforms operate in the EU for the foreseeable future.

Key Takeaways
  • The DMA's first fines — €500m against Apple for Article 5(4) anti-steering and €200m against Meta for the Article 5(2) data-combination prohibition — confirm the Commission enforces the DMA's per se obligations with material penalties, not advisory guidance.
  • The Meta decision's holding that a binary "pay or consent" choice is not freely given consent reaches well beyond Meta, exposing any platform that uses consent-based data processing as a structural element of its business model.
  • DSA enforcement is now multi-front: TikTok's Article 39 advertising-repository shortfall, Germany's Bundesnetzagentur processing 1,700+ complaints and designating four Trusted Flaggers, and DSA standards entering German civil courts (OLG Bamberg, OLG Frankfurt).
  • The Article 13 DSA duty to appoint an EU legal representative — and the DSA's tiered obligations — bind all non-EU intermediary providers with EU users, not only VLOPs, so mid-sized platforms cannot treat enforcement as a big-tech-only concern.

§ ILatest enforcement developments

€500m APPLE · DMA FINE
€500m
Apple hit with first-ever DMA fine — Apr 23, 2025 · DMA. Commission finds Apple prevented developers from directing users to cheaper alternatives outside the App Store — a breach of the anti-steering obligation under Art. 5(4) DMA. Apple has announced it will contest the decision in court.
DATA COMBINATION · ART. 5(2) €200m
€200m
Meta fined over pay-or-consent model — Apr 23, 2025 · DMA. Commission concludes that Meta's binary choice between personalised ads and a paid subscription did not constitute genuine user consent under Art. 5(2) DMA's prohibition on cross-service data combination.
INTEROPERABILITY MANDATE 2025–2026
Apple must open iOS to third-party devices — Apr 23, 2025 · DMA Art. 6(7). Binding orders require Apple to grant third-party device makers — smartwatches, headphones — equivalent access to iOS connectivity functions including notifications, fast data transfer, and device setup. Deadlines run to end of 2026.
AD REPOSITORY TRANSPARENCY FAILURE
TikTok's ad archive falls short of DSA standards — May 14, 2025 · DSA Art. 39. Preliminary Commission finding: TikTok's advertising repository lacks required information on ad content, targeting criteria, and sponsors — hampering detection of disinformation and fraud. TikTok has the right to respond before any formal decision.
DE 1,700+ COMPLAINTS TO BUNDESNETZAGENTUR 4 TRUSTED FLAGGERS DESIGNATED 1st DSA DISPUTE RESOLUTION BODY CERTIFIED
National enforcement picks up pace — and so does private litigation — Ongoing · DSA National Enforcement. Germany's Bundesnetzagentur has received over 1,700 complaints since assuming its role as Digital Services Coordinator. Four Trusted Flaggers are now formally recognised, including the consumer federation vzbv and HateAid. Germany's first certified DSA dispute resolution body has been operational since August 2024. Separately, Commission proceedings against Temu and AliExpress for systemic risk assessment failures continue — with AliExpress reaching the first-ever DSA commitment decision, making its obligations formally binding.

§ IIWhat the decisions actually establish — and why they matter beyond the headlines

The April 2025 Apple and Meta decisions mark a genuine inflection point. The DMA had been in force since March 2024, and some observers questioned whether the Commission would move quickly enough to give the regulation credibility before political resistance softened its enforcement posture. The decisions answer that question, at least for now.

The Apple case turns on the anti-steering obligation in Article 5(4) DMA. Gatekeepers operating app distribution platforms may not restrict developers from directing users to pricing alternatives outside the platform. Apple's rules had the practical effect of preventing developers from informing users that the same digital purchase was available more cheaply elsewhere. The Commission treated this as a structural distortion — one that systematically advantages the gatekeeper's own commercial ecosystem.

The Meta decision engages Article 5(2) DMA, which prohibits gatekeepers from combining personal data across their core platform services without adequate legal basis. Meta's "pay or consent" framework was found to fail this standard. The reasoning is significant: the Commission held that a binary commercial choice does not constitute freely given consent.

"The Commission held that presenting a commercial binary choice does not constitute freely given consent. This extends well beyond Meta's specific model to any platform using consent-based data processing as a structural element of its business."

The TikTok advertising transparency finding, though still preliminary, is instructive for a different reason. It concerns a specific technical obligation — the requirement under Article 39 DSA to maintain a publicly accessible advertising repository with information on ad sponsors, targeting parameters, and display periods. The Commission's preliminary view is that TikTok's repository lacks sufficient detail for researchers and civil society to detect coordinated disinformation and fraud — precisely the public oversight function Article 39 was designed to enable.

§ IIIUnderstanding the regulatory architecture: DSA and DMA together

The Digital Services Act

The DSA establishes a tiered compliance framework for all providers of intermediary services with a connection to the EU market. The tier a company falls into determines the density of its obligations — but every tier carries substantive duties.

DSA provider tiers

Intermediary services. Broadest category. Conduit, caching, hosting. Conditional liability immunity and baseline transparency obligations apply.

Online platforms. Store and disseminate user-facing content. Notice-and-action mechanisms, complaint systems, recommender transparency, dark pattern prohibition.

Online marketplaces. Facilitate consumer-to-business transactions. Additional "Know Your Business Customer" traceability obligations for sellers.

VLOPs / VLOSEs. >45m monthly active EU users. Systemic risk assessments, independent audits, researcher data access, crisis response protocols.

TIER 1 Intermediary Conduit · Cache · Host Baseline duties TIER 2 Online Platform Social · Market · App + Notice & Action + Dark Pattern ban TIER 3 Online Marketplace B2C Commerce + Know Your Business Customer obligations TIER 4 VLOP / VLOSE >45m active EU users + Risk assessments + Independent audits + Researcher data access + Crisis protocols

One structural element of the DSA now generating tangible enforcement activity is the Trusted Flagger system under Article 22. Formally recognised entities — organisations with demonstrated expertise and independence — whose reports of allegedly unlawful content to platforms must be processed with priority. Germany's Bundesnetzagentur has now recognised four such entities. A platform that has not assessed whether its content moderation infrastructure distinguishes between ordinary notices and Trusted Flagger submissions is already out of step with its obligations.

The liability framework in Articles 4 through 6 DSA is also working its way into German courts. The OLG Bamberg became the first German appellate court to engage directly with the Article 25 dark patterns prohibition in a ticket platform case. The OLG Frankfurt addressed platform liability for deepfake content. The DSA is no longer only a regulatory instrument — it is being integrated into civil litigation.

The Digital Markets Act

The DMA operates through a designation mechanism. The Commission identifies specific companies as "gatekeepers" for specific core platform services — covering social networks, app stores, operating systems, search engines, advertising services, and intermediation services. Designation brings a non-negotiable set of behavioral obligations and prohibitions. Some are per se rules: the anti-steering prohibition, the data combination prohibition, the self-preferencing ban. Others require specification through Commission proceedings before their precise technical scope becomes clear.

The Commission has shown that it applies gatekeeper thresholds with genuine interpretive flexibility: confirming ByteDance's designation despite multi-homing arguments; declining to designate X after finding insufficient ecosystem lock-in; and revoking Facebook Marketplace's designation when Meta demonstrated the threshold was no longer met — the first revocation in DMA history.

§ IVEnforcement under political pressure: the transatlantic dimension

United States "Foreign extortion" · Tariff threat US-HQ gatekeepers: Alphabet, Apple, Meta, Amazon, Microsoft European Union Consumer protection · Fair competition €500m Apple · €200m Meta Enforcement proceeds regardless

Any analysis of current DSA and DMA enforcement that ignores the transatlantic political context would be incomplete. The current US administration has characterised European digital regulation as economically discriminatory — noting, accurately, that almost all designated gatekeepers are US-headquartered companies. Tariff negotiations have been accompanied by public statements and reportedly private pressure regarding specific enforcement proceedings. Reports emerged that at least one Commission investigation involving a US platform was paused in the context of trade discussions.

The April 2025 decisions against Apple and Meta nonetheless went ahead with substantial fines. The Commission has consistently maintained that the DMA's application follows from market position, not national origin. That position is legally correct — but the political environment adds genuine uncertainty that companies should factor into their planning, without treating it as a reason to defer engagement with legal obligations. Political negotiations do not pause enforcement timelines.

§ VPenalty exposure: what is actually at stake

6%
Maximum fine under the DSA — of global annual turnover.
20%
Maximum DMA fine for repeated infringement by a designated gatekeeper.

Beyond financial penalties, the Commission can impose interim measures, require structural remedies, and restrict market access in cases of persistent non-compliance. In the DMA context, systematic infringement may result in a prohibition on acquisitions in the relevant sector. Apple has already announced it will contest the €500 million fine — initiating what is likely to be prolonged litigation whose outcomes will shape DMA interpretation for all gatekeeper-designated companies.

§ VIWhat this means for companies that have not yet engaged

The enforcement activity to date has concentrated on the largest and most visible platforms. This has encouraged a false sense of distance among smaller and mid-sized technology companies operating in the EU market. That distance is largely illusory.

The DSA's obligations apply to any provider of intermediary services to EU users, regardless of company size or establishment. The Article 13 requirement to designate a legal representative within the EU applies to all non-EU providers — not only VLOPs. National DSCs are operational, receiving and processing complaints, and building enforcement capacity rapidly. And courts — as the OLG Bamberg case illustrates — are applying DSA standards in civil proceedings independently of any regulatory action.

A structured compliance assessment for companies at an early stage of EU digital law engagement typically covers:

  • Establishing which DSA tier applies — a CDN operator, a SaaS provider, and a consumer marketplace face materially different compliance profiles even though all may qualify as intermediary services
  • Determining whether the Article 13 legal representative requirement is triggered and establishing that representation with appropriate contractual risk allocation
  • Reviewing notice-and-action processes, internal complaint mechanisms, and terms-of-service language against the DSA's specific procedural and transparency requirements
  • For larger platforms: conducting the systemic risk assessments required under Article 34 DSA and establishing audit-ready documentation of resulting mitigation measures
  • Reviewing advertising and recommender system transparency disclosures — including, where applicable, the Article 39 advertising repository requirement now subject to the TikTok proceedings
  • Mapping DSA obligations against existing GDPR compliance structures, since content moderation and advertising systems frequently engage both frameworks simultaneously
· · ·

The enforcement record of spring 2025 confirms what the regulatory text always indicated: the DSA and DMA are designed to produce binding outcomes, not advisory guidance. Companies that engage with their obligations now, before a complaint or proceeding forces the question, are in a materially better position than those that wait.

Note & Disclaimer

This article is provided for general informational purposes only and does not constitute legal advice. References to enforcement proceedings reflect publicly available information as of the date of publication. Individual compliance questions require tailored legal analysis. © 2025 Kanzlei Theo Funk, Bamberg.

Kanzlei Theo Funk — EU digital law counsel for US technology companies

This firm advises US-based technology companies on DSA and DMA compliance: scope and tier assessments, Article 13 legal representative services under the DSA, regulatory correspondence support, and ongoing compliance counsel as the enforcement landscape develops. If your company has EU users and has not yet assessed its position under the DSA, now is the right time.

Get in touch →