CMA to Impose EU-Style Rules on Apple and Google App Stores

The UK’s Competition and Markets Authority (CMA) has signaled its intention to designate Apple and Google as having “strategic market status” under the country’s new Digital Markets, Competition and Consumers Act. This move would empower the CMA to enforce EU-style conduct rules on smartphone ecosystems, targeting app store fees, interoperability, and the treatment of AI-driven services.

Background to the Digital Markets Regime

Passed in late 2024, the Digital Markets, Competition and Consumers Act (DMCC) establishes a framework for regulating dominant digital platforms. Under the DMCC, firms designated with strategic market status are subject to a five-year “conduct remedies” regime, with potential fines of up to 10% of global turnover for breaches.

Designation Process and Timeline

1. Preliminary findings announced July 2025.
2. Formal designation decision due October 2025.
3. Publication of draft conduct rules Q1 2026.
4. Final rules implemented by mid-2026.

“Time is of the essence: as competition agencies and courts globally take action in these markets, it’s essential the UK doesn’t fall behind,” said Sarah Cardell, CMA Chief Executive.

Key Proposed Conduct Rules

• Fee Caps: Limit app store commission rates to no more than 25–30% for digital goods and services, with tiered rates for small developers (e.g., 15% for revenues under £1 million/year).
• Interoperability Requirements: Mandate open APIs for digital wallets (e.g., Apple Pay, Google Wallet) and smartwatch platforms (Wear OS, watchOS) to support third-party payment apps and multi-device synchronization protocols like Bluetooth LE Secure Connections and HFP over USB.
• Side-Loading & Alternative Stores: Require Apple to permit sideloading of .ipa packages and support alternative app marketplaces on iOS; Google may need to open its Android package installer (APK) to unverified sources under tightened security sandboxing standards.
• AI Service Fairness: Ensure Apple’s Siri and Google’s Gemini voice assistants interoperate with third-party AI models via standards such as OpenAI’s GPT API and W3C’s WebNN proposal, preventing gatekeeping of data or voice-processing frameworks.

Technical Specifications and Security Considerations

Security remains a core concern. The CMA plans to collaborate with the UK’s National Cyber Security Centre (NCSC) to define a risk-based sandboxing framework for side-loaded apps. Proposed measures include:

• Mandatory code signing with developer certificates to prevent supply-chain attacks.
• Runtime permission controls built on Android 14’s granular API permissions and iOS 16’s Scoped Storage model.
• Automated static analysis tools, leveraging open-source scanners like Semgrep and MobSF, for malware detection in alternative app stores.

Global Context: UK vs. EU vs. US

While the EU’s Digital Markets Act (DMA) imposes broad “gatekeeper” obligations, the CMA emphasizes a tailored and iterative approach. Key distinctions:

• Scope: DMA applies to 22 gatekeepers across the EU; UK rules target only Apple and Google stores initially.
• Flexibility: CMA will review impacts annually, adjusting rules based on developer feedback, whereas DMA mandates immediate compliance by set deadlines.
• Enforcement: EU fines up to 20% of global turnover vs. UK’s 10%, but the CMA benefits from a dedicated Digital Markets Unit embedded within government.

Developer Ecosystem and Innovation Impact

Independent developers have lobbied for reduced fees and more choice. Epic Games CEO Tim Sweeney commented:

“Though the CMA’s proposals are a step forward, delaying alternative store decisions is a missed opportunity for UK innovation.”

However, leading mobile security experts warn that changes must preserve sandbox integrity and end-to-end encryption in payments. Industry veterans at Jane Software Labs suggest that a phased rollout with OAuth 2.0–based trust frameworks could strike the right balance.

Future Outlook and Next Steps

Following the October designation, the CMA will launch a 12-week public consultation on draft rules, seeking input from:

• App developers and indie studios.
• Payment service providers and fintech startups.
• Cybersecurity researchers and standard bodies.

The final conduct rules are expected by summer 2026, with enforcement mechanisms live by year end. Companies found in breach could face substantial penalties, reshaping the UK’s digital marketplace for years to come.