The EU’s Digital Markets Act: A Gift to Hackers – and a Threat to Competition?

The Digital Markets Act (DMA) was designed to promote competition in digital markets, particularly by preventing large technology firms from imposing anti-competitive business practices. However, in its effort to enforce platform openness, the DMA – especially Article 5(4) – risks compromising cybersecurity and inadvertently weakening market competition.

By requiring mobile operating systems to permit third-party linkouts, the European Commission is prioritising regulatory mandates over the integrity of established security architectures, potentially exposing users to heightened cybersecurity risks. The unintended consequences of this policy not only expose citizens to greater cybersecurity threats but could also reduce competition in the mobile operating system space rather than enhance it.

A Contradiction in Regulatory Priorities

The European Union has made cybersecurity a cornerstone of its digital and economic security strategy. Initiatives such as the Cyber Resilience Act and the NIS2 Directive reflect a concerted effort to enhance the security of digital infrastructures and mitigate risks related to cybercrime and data breaches. Paradoxically, the enforcement of the DMA directly undermines these objectives by forcing platform providers to relax security controls that have been instrumental in protecting consumers.

For instance, Apple has already responded to DMA requirements by withholding certain AI-driven security features in the EU, citing regulatory uncertainty surrounding DMA enforcement by the European Commission. Apple is withholding Apple Intelligence from EU users, creating a security gap that could leave them more vulnerable to cyber threats compared to users in other regions. If European citizens are denied access to these innovations, their devices may become more vulnerable to phishing attacks, malware, and fraudulent activities compared to users in other regions.

Google faces similar challenges, as the enforcement of Article 5(4) may require it to allow direct external links in Play Store apps, increasing security risks. This comes despite Google’s globally recognised cybersecurity efforts. The Play Integrity API has reduced untrusted app usage by 80%, while Play Protect blocked 36 million dangerous installations in 2023, protecting 10 million devices. Stricter developer verification and security labels under the Mobile App Security Assessment (MASA) further strengthen protection. Yet, over 95% of malicious Android apps originate from sideloading, and the DMA forces Google to weaken safeguards designed to block unverified third-party linkouts. By undermining these protections, DMA compliance exposes Europeans to increased risks of malware, phishing, and fraud.

The DMA’s Unintended Market Distortions

Beyond cybersecurity concerns, the DMA also creates a paradoxical dilemma for open-source mobile operating systems:

1. Remain open and face growing cybersecurity risks, or
2. Move towards a more closed ecosystem to ensure security compliance.

If the latter approach is taken, open-source Android could begin to resemble iOS, Apple’s platform that operates a highly controlled security architecture. This would likely fundamentally alter the competitive dynamics of mobile operating systems in several ways:

• Reduced customisation: A shift toward a more restricted Android ecosystem would limit manufacturers’ ability to differentiate their devices.
• Increased costs: Android’s relative affordability stems in part from its open structure, allowing manufacturers to innovate on price and features. A more restrictive environment could raise costs for consumers.
• Higher market entry barriers: A less flexible Android ecosystem would make it more difficult for new entrants to differentiate themselves, potentially entrenching the dominance of the very firms the DMA aims to regulate.

This contradiction is crucial: if regulatory enforcement pushes Android toward a closed system akin to iOS, it would consolidate rather than fragment market power. Such an outcome contradicts the very objectives of the DMA, which aims to enhance competition and reduce dependency on dominant platform providers.

Regulatory Disparities and Strategic Consequences

Another major concern is the global asymmetry in regulatory obligations. The DMA imposes stringent requirements on platforms such as Apple and Google, but major non-EU competitors – particularly Chinese mobile ecosystems such as Huawei’s AppGallery and Tencent’s app marketplace – face no comparable restrictions. These app stores can also be installed on Android-run devices, allowing them to expand their influence beyond their own ecosystems without being subject to the same interoperability and sideloading mandates imposed on Apple and Google.

This regulatory asymmetry creates two unintended outcomes:

1. Competitive disadvantage for European users and businesses: While European platforms must weaken their security architectures, non-EU competitors can maintain more restrictive, controlled ecosystems. This not only provides a commercial advantage to non-EU tech firms but also increases cybersecurity risks, as users may be drawn to platforms with stronger default protections.
2. Contradictions in EU digital sovereignty goals: The European Commission has prioritised reducing reliance on foreign infrastructure. However, by creating regulatory conditions that weaken European cybersecurity while allowing Chinese tech ecosystems to maintain tighter security controls, the DMA risks exacerbating Europe’s strategic vulnerabilities rather than mitigating them.

The Commission Should Align Competition and Cybersecurity Objectives

The Digital Markets Act, in its current form, introduces critical security risks and may inadvertently strengthen rather than weaken platform dominance. A more balanced regulatory approach – one that prioritises both competition and security – is needed to ensure that the DMA achieves its intended objectives without introducing unnecessary risks.

To prevent unintended harm, the European Commission should align DMA enforcement with cybersecurity objectives. This requires technology-neutral application, allowing competition between different security models; regulatory coherence, ensuring DMA rules do not conflict with EU cybersecurity laws like NIS2 and the Cyber Resilience Act; and recognition of platform differences, acknowledging that one-size-fits-all rules could weaken security. OS providers must retain the ability to block unvetted third-party linkouts to prevent malware and fraud, with external links leading only to verified platforms. Finally, providers should be exempt from penalties if restrictions are necessary to counter active cybersecurity threats.