The EU’s new Digital Markets Act (DMA) promised to rein in the power of Big Tech with bold rules and it is now starting to deliver. Just a few days ago, the European Commission announced the first fines under the DMA: €500 million for Apple, and €200 million for Meta. Both were found to have violated obligations that aim to open up digital markets: Apple by restricting app developers’ communication with users; Meta by tying consent to personalised advertising.
It was a landmark moment for the new regime but it also exposed a curious gap. Unlike in EU antitrust enforcement or GDPR cases, the Commission has not issued any guidelines on how it will calculate fines under the DMA. And that raises real questions about legal certainty, especially when fines of up to 10% of global turnover, or even 20% for repeat infringements, are on the table. At first glance, the absence of guidelines might seem unremarkable. The DMA itself sets clear maximums: 10% (or 20%) of a company’s worldwide revenue. That’s significant enough to catch any tech giant’s attention. And technically, the Commission isn’t obliged to adopt guidelines; it can fine based directly on the Regulation.
But if you look at how the Commission operates in other areas, this silence becomes intriguing. In antitrust, for instance, the 2006 Fining Guidelines set out how fines are calculated; taking into account gravity, duration, and aggravating or mitigating circumstances. Similarly, in data protection, the European Data Protection Board has published guidance on how GDPR fines should be reasoned and scaled. Once published, these guidelines act as soft law: binding on the Commission itself, anchoring its decisions and offering companies predictability.
One of the core principles of EU law is legal certainty. Companies should be able to foresee, with reasonable clarity, the consequences of breaching a rule. It’s not enough for the rules themselves to be clear; the penalties must also be foreseeable. Otherwise, companies cannot properly calibrate their compliance efforts or assess the risks they are taking.
Without fining guidelines, the Commission keeps maximum flexibility. But for gatekeepers, it means being left in the dark about how serious a breach will be judged, and what the financial fallout could be. A fine could be a slap on the wrist or a corporate earthquake with no clear roadmap in between.
And while the first DMA fines are substantial, they are nowhere near the upper end of the scale. Apple’s €500 million fine, for instance, represents only a small fraction of its annual turnover. The Commission seems to be testing the waters carefully; not reaching for the maximum penalties right away, perhaps to build a credible enforcement record without provoking accusations of overreach.
This moderate approach makes sense. The DMA is new, the rules are complex, and regulators want companies to engage seriously rather than immediately fight every decision in court, though appeals are of course expected. At the same time, the absence of fining guidelines could create long-term risks for enforcement.
First, it opens the door to inconsistencies: different companies, or different cases, might be treated differently without a clear framework. Second, it invites challenges: if a company feels it has been fined unfairly, it can argue that the Commission’s discretion was too broad, or exercised arbitrarily. Courts are generally reluctant to second-guess the Commission on fines, but they do expect decisions to be transparent and reasoned.
Finally, and perhaps most importantly, it could undermine the very trust the DMA seeks to build. The DMA is supposed to create a level playing field, where powerful gatekeepers know exactly what is expected of them. Lack of clarity around sanctions pulls in the opposite direction.
Of course, it’s still early days. The Commission may simply be waiting to gather more enforcement experience before codifying its approach. That’s understandable. Publishing fining guidelines too early could backfire if early cases reveal complexities that weren’t anticipated.
But at some point, clear guidance will become not just helpful, but necessary for regulators, companies, and courts alike. Until then, enforcement under the DMA will continue to walk a fine line: ambitious in its aims, but feeling its way in how hard, and how predictably, to punish non-compliance.
Co(E)mpetition Procedure 