In Brussels We Trust? Preliminary Insights Into the Legal Challenges to the DMA and DSA

This essay is a condensed version of an academic paper set to be published in 2025 in the Journal of Law, Innovation, and Technology (Volume 17, Issue 2). A preprint of the paper is available on SSRN.

Recent developments show that Big Tech companies targeted by the Digitial Markets Act (DMA) and the Digital Services Act (DSA) started to pursue legal action against EU institutions. Among other things, the companies argue that the Commission unfairly designates them as entities subject to specific legal obligations. What is noticeable is that the reactions by these actors appear to be very different than the reception of previous and similarly impactful EU regulations in the digital sphere, such as the GDPR. In the following, we will explore why we are witnessing this ‘Brussels resistance’ as a new form of corporate reaction strategy.

Legal challenges to EU regulations have increased in 2023 and 2024, which unsurprisingly coincides with the implementation of several digital policy acts targeting Big Tech under the van der Leyen Commission. However, looking at the GDPR as the textbook example of the Brussels Effect, it is interesting to find that in the last six years, private companies have launched only four legal cases to contest GDPR provisions. Of these four cases, only the two most recent cases, filed by TikTok and Meta in 2023 and 2024, challenge the GDPR’s validity, arguing it is unlawful under human rights law. Interestingly, these broader, more ‘substantial’ challenges overlap with the surge of legal action filed by companies in the context of the Digital Services Act package.

In the context of the DMA and DSA, the picture looks slightly different. Since the DMA took effect on May 2, 2023, it has already faced four legal challenges. The enforcement of the DSA has intensified this dynamic. Having only been in effect since February 17, 2024, it has already prompted seven cases filed against the European Commission.

Big Tech takes a more contentious approach against the DMA and DSA

Since 2023, the cases brought against the Commission in the context of the DMA have involved companies, including Meta, ByteDance, and Apple in the context of iMessage and iOS, challenging the Commission’s decision to classify their services as Core Platform Services, Number-Independent Interpersonal Communication Services (as defined in Article 2(7) of the European Electronic Communications Code Directive, which includes services like Messenger or WhatsApp), or designate them as gatekeepers (as defined in Article 3 of the DMA). Under the DMA, these companies primarily challenged their classification based on claims of errors of law, inadequate reasoning, misinterpretation, and misapplication of the DMA alongside ‘material factual errors.’ They also argued that the classifications violated the requirements of the European Charter of Fundamental Rights (ECFR) and the principle of proportionality.

When examining cases under the DSA, applicants–-including Zalando, Amazon, Meta, TikTok, Technius, Aylo Freesities, and WebGroup–- have similarly contested their classification as very large online platforms (VLOPs). These companies challenged the Commission’s designation based on an allegedly erroneous methodology for establishing the number of monthly active recipients, the ‘misapplication of the DSA, errors in law, and the infringement of the companies’ right to be heard, the principle of equality, proportionality, and legal certainty.

In contrast, GDPR-related cases filed by platforms against the Commission were largely responses to specific enforcement measures. WhatsApp challenged an imposed financial penalty, Meta, allegations of non-compliant data processing, and TikTok, a decision compelling Irish regulators to acknowledge the company’s ‘dark patterns’ violation. This highlights how complaints under the DMA and DSA have been much more pre-emptive.

Despite clearly exceeding the thresholds for gatekeeper or VLOP status (generating EU revenues over €7.5 billion in each of the last three financial years and/or more than 45 million users per month in the EU), the companies have sought to contest these classifications. These challenges raise deeper legal and fundamental rights issues, such as alleged breaches of the ECFR and violations of the principles of proportionality and equality, reflecting a more contentious set of accusations compared to the more procedure-driven disputes under the GDPR.

Scope of litigation and legal arguments against the DSA and DMA

Articles 5 and 6 in the DMA contain the bulk of legal obligations for designated gatekeepers, which explains the intense opposition from tech companies. Article 5 contains directly applicable provisions that prohibit anti-competitive practices related to the processing of end-users’ personal data, parity clauses, anti-steering, etc. Article 6 contains requirements (further specified in Article 8) that generally prohibit preferential treatment of a gatekeeper’s own services, obligations on end-users to use certain default settings and apps, and denying business users access to data generated by those businesses.

Similarly, the two most contested provisions under the DSA–Article 38 and 39— also target one of the more critical areas for Big Tech players by regulating algorithmic transparency. The targeted companies consider both articles extremely harmful to their core functionalities and competitive advantage. Article 38, they argue, would disrupt the ability to provide personalized recommendations, thus undermining customer satisfaction and putting the designated VLOPs at a competitive disadvantage. Article 39 would further expose the companies’ advertising strategies to competitors.

The heightened resistance to the DSA and DMA compared to the GDPR also stems from several other factors. First, the enactment of the DSA and DMA, together with other legal initiatives targeting Big Tech over similar timeframes, has created a condensed period of compliance, heightening friction as companies adapt to numerous new obligations. Moreover, the DMA and DSA more aggressively seek to target the market dominance of a few large tech companies. The GDPR, in contrast, applies to any entity processing personal data, regardless of size or market influence.

More significantly, the provisions within the DMA and DSA (notably the four Articles mentioned above) represent a direct threat to Big Tech’s core business models in ways that GDPR compliance does not. While the GDPR imposes rules on obtaining a lawful basis for data processing, it does not fundamentally alter the way platforms make their money. Compliance under the GDPR is largely procedural, whereas the DMA forces gatekeepers to rearrange their interactions with end-users and business users, making it harder for these platforms to maintain their dominant market positions. Under the DSA, Articles 38 and 39, which demand algorithmic transparency and greater control over personalized recommendations, are seen as existential threats to platforms reliant on user engagement and advertising revenue.

What will be the impact?

Amid strong resistance from Big Tech, are European regulators struggling to enforce the new Digital Services Act package? Recent policy and legal actions initiated by the Commission following litigation in the context of the DMA and DSA may provide a preliminary answer.

Since March 2024, the European Commission has initiated formal proceedings against several companies under the DSA. It has also continued to designate entities that meet the criteria to be classified as VLOPs, VLOSEs, and gatekeepers. Additionally, under the DMA framework, the Commission has launched investigations into Apple, Alphabet, Google, and Meta, imposing nearly 2 billion euros in antitrust fines. Most recently, it accused Meta of violating the DMA with its ‘pay or OK’ model.

In parallel, the European Court of Justice (ECJ) denied Amazon’s request for interim measures to evade compliance with Article 39 DSA. The Court also refused interim measures to temporarily suspend DSA obligations requested by Aylo Freesities and WebGroup. Similarly, it dismissed one of ByteDance’s challenges against its gatekeeper status under the DMA.

Taken together, these actions demonstrate that despite resistance from some of the largest tech companies, the EU’s regulatory agenda remains on course. The Commission appears to be able to uphold its principles, pursuing enforcement actions against companies that infringe on the regulations or attempt to evade or undermine them. However, the surge in legal challenges filed by Big Tech could also be seen as a warning sign, indicating that while platforms may appear to comply, their true willingness to adhere might be superficial, requiring the Commission to be particularly vigilant going forward.

While the Commission’s commitment to regulating these companies appears solid, the ultimate success of the DMA and DSA in achieving ‘non-malicious’ compliance and protecting the digital market remains uncertain. Much will depend on whether companies find ways to evade compliance, exploit loopholes, or offer alternative solutions to the EU market, such as geo-blocking or modified ‘EU-only’ versions of products or services that meet the minimum DSA- and DMA-compliant standards on paper but still fall short of fully ensuring fair competition and user protection.