In a landmark move, the European Commission has fined Apple €500m and Meta €200m for failing to comply with conduct obligations under the Digital Markets Act (DMA). These are the first non-compliance decisions issued since the DMA became fully applicable in March 2024¹ and mark a decisive step in the Commission’s enforcement of the new regime – signalling that it is prepared to act firmly against instances of non-compliance.

The non-compliance decisions

Apple’s infringement: “anti-steering” rules

Apple was found to have breached Article 5(4) of the DMA, in relation to its App Store core platform service (CPS). Article 5(4) requires gatekeepers to allow business users, free of charge, to communicate and promote offers to end-users and to conclude contracts with them, regardless of whether they use the CPS to do so. In practical terms, this means that app developers must be able to “steer” app users to offers available outside the relevant gatekeeper’s ecosystem, so that they can make off-platform purchases (e.g. of digital content), without undue restrictions.

The Commission found that Apple imposed a series of technical and commercial conditions that significantly limited the ability of developers to make use of these rights. The details of the Commission’s infringement decision are yet to be made public. However, previous announcements indicated the Commission was concerned, amongst others, about: 

• limitations on the information on alternative offers developers can share through their apps, and restrictions on how “link-outs” to alternative payment portals can work; and
• the fees charged by Apple for transactions effected through the new “link-out” functionality, including on those effected after the initial link-out.

Apple’s justification for these measures — that they were necessary to maintain security and privacy — was rejected as insufficiently substantiated.

The Commission ordered Apple to remove the restrictions and to refrain from any future conduct having the same object or effect. The infringement is ongoing, and Apple has 60 days to comply or may face periodic penalties of up to 5% of its average daily worldwide turnover. 

Meta’s infringement: “consent or pay” model

Meta was found to have breached DMA Article 5(2), in relation to its Facebook and Instagram social networking CPS. This prohibits gatekeepers, amongst other things, from processing, for the purpose of providing online advertising services, personal data from other services that make use of their CPS(s), and from combining personal data from the use of their CPS with personal data from other services, unless prior user consent has been obtained.

In an attempt to comply with Article 5(2), Meta introduced a “consent or pay” model, which required users of Facebook and Instagram in the EU either to consent to the processing and combination of their personal data for targeted advertising, or to pay a monthly subscription fee for an ad-free version of the service.

The Commission found that this binary model did not comply with Article 5(2) DMA, as Meta failed to offer a less personalised, but otherwise equivalent, alternative service to non-consenting users. Users should have been offered a service equivalent to the personalised ads service, which relies on the use of less personal data. It can be inferred here that, for the Commission, a paid-for service was not equivalent to a free, ad-supported one. The Commission therefore considered that the “consent or pay” model did not allow users to exercise their right to freely consent to the combining of their personal data².  This suggests that the Commission’s interpretation of the concept of consent in the context of so-called “consent or pay” models is similar to that advocated by the European Data Protection Board³.  This will hopefully become clearer once the full details of the decision are made public.  

In the meantime, Meta introduced a revised model in November 2024, which is subscription-free and based on less personalised, contextual advertising. This continues to be assessed for compliance by the Commission. The non-compliance decision therefore concerns the period from March to November 2024.

The scale of the fines

In nominal terms the fines are, undoubtedly, significant. Some reports, however, have described them as being “modest”– likely as they are significantly lower than the €1.84bn and €797m antitrust fines imposed on Apple and Meta respectively last year for abuse of dominance (Apple’s fine having been imposed for substantially the same conduct as the DMA violation) and the even larger fine previously imposed on Google.

Additionally, when set against Apple and Meta’s turnover in the last financial year, the true scale of the fines becomes more apparent. Both amount to around 0.13% of turnover, whereas the DMA empowers the Commission to impose fines of up to 10% of a gatekeeper’s worldwide turnover for a single infringement, and up to 20% in cases of repeated non-compliance.

The Commission cited the “gravity and duration” of the infringement, as well as the fact that these are the first non-compliance decisions under the DMA, as key factors in determining the level of the fines. EU competition commissioner Teresa Ribera also described them as “firm but balanced”. 

However, once the duration of the infringements is factored in, the fines are arguably not so lenient – depending on the view one takes as to the flagrance of the violations. Apple’s abuse of dominance fine worked out at approximately €211m per year of infringement, and Meta’s at approximately €112m per year; significantly less than the per-year values of the DMA fines imposed by the Commission (€444m and €300m respectively).

It therefore appears that the Commission – which under the DMA enjoys full discretion as to where to set fines for non-compliance, provided they remain below the aforementioned cap – has opted to set them at a level which emphasises the importance of firms amending their operating models so as to comply with its interpretation of the DMA.

Other developments

A more constructive approach to compliance? 

While these non-compliance decisions represent a robust approach to enforcement, the Commission has shown that it is willing to settle matters without recourse to financial penalties where it deems that gatekeepers have engaged constructively and made meaningful adjustments to their operating models.

In particular, at the same times as it imposed the fines, the Commission closed its investigation into Apple’s compliance with Article 6(3) DMA. 

Article 6(3) requires gatekeepers to allow users easily to remove pre-installed apps from their devices and to easily change default settings on their operating systems and web browsers. In response to the Commission’s non-compliance investigation, Apple introduced a new browser choice screen, amongst other changes. These changes were deemed sufficient to address the Commission’s concerns, leading to the formal closure of the investigation. 

On the other hand, the conduct underlying the Commission’s fines proved less suited to amicable resolution, with the gatekeepers choosing a more adversarial path. Likely this is due to the commercial implications of submitting to the Commission’s interpretation of the DMA. 

In Apple’s case, unrestricted steering by developers away from Apple’s payment channels may significantly undermine the basis on which it monetises its App Store (since many developers make their apps downloadable for free, and under Apple’s standard terms of business, developers do not pay fees for app downloads).

Similarly, should a significant proportion of Meta’s social network users in the EU opt not to consent to the combining of their data for advertising purposes, the essence of the business model – namely that the users (or, more specifically, their interests and preferences) are the “product” – may be threatened.

Both have confirmed they intend to appeal the non-compliance decisions before the EU Courts, claiming to have been unfairly targeted by the EU authorities.

More concerns for Apple, but some good news for Meta

In parallel with the fines, the Commission issued preliminary findings against Apple under DMA Article 6(4), concerning its contractual terms for alternative app distribution. These include: the imposition of a €0.50 “Core Technology Fee” per download; developer eligibility restrictions; and a multi-step process for sideloading apps that the Commission considers unnecessarily burdensome. 

As in the Article 6(3) case, Apple has the opportunity to respond before the Commission finalises its findings and could avoid further penalties if it can similarly demonstrate meaningful adjustments; assuming those too would not materially undermine its business model. The nominal deadline for a decision is 31 July 2025, but this is not a firm one (the two non-compliance decisions arrived a month after their respective deadlines). 

Meta, meanwhile, received a positive outcome in the form of the Commission exercising its discretion to remove Facebook Marketplace from the list of designated CPS. This followed a request by Meta, which argued that its Marketplace no longer met the criteria for designation. 

Upon reviewing Meta’s request, the Commission concluded that the service no longer meets the quantitative threshold in Article 3(2)(b) DMA, under which a platform will be presumed to be an “important gateway” where it has at least 10,000 yearly active business users in the EU. According to the Commission, Marketplace fell below that threshold in 2024, following moves by Meta to prevent business users from selling on the classified advertisements platform. 

Conclusion

These contrasting outcomes show that the DMA should not simply be viewed as a punitive tool, aimed at truncating traditional antitrust enforcement, but also as a mechanism that allows for sustained regulatory dialogue aimed at shaping platform architecture.

Nevertheless, the Commission’s decision to issue fines at all – let alone fines which, although smaller in headline terms, are comparable in severity with antitrust fines – highlights the importance it places on pro-active compliance. Making half-hearted changes, in the expectation that the Commission will simply mark their homework for them, is therefore a risky strategy for gatekeepers to pursue. 

The Commission’s announcement of the fines also suggested that these initial cases were intended to clarify expectations rather than set a punitive precedent. Further cases are likely to see increasingly severe interventions, particularly if violations persist or become systemic.

1 For more information see our overview from November 2022, and update on the designation of gatekeepers from May 2024. 

2 Article 5(2) DMA ties the concept of “consent” to the definition under the GDPR, in connection with which the CJEU has confirmed that “consent cannot be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment” – see Case C‑252/21 Meta Platforms Inc v Bundeskartellamt.

3 Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, 17 April 2024.