The European Commission is finalizing two sets of binding measures under its flagship competition regulation, the Digital Markets Act (DMA). These measures would force designated gatekeepers to share granular search data with competing search engines and artificial intelligence (AI) chatbots and to open mobile operating systems features to third-party service providers on equal terms. These proceedings target Google, with parallel interoperability measures underway against Apple. Both Google decisions are expected as early as July 16.

Whether or not the DMA’s approach to market contestability is a sound policy approach, its implementation has created a separate, unintended consequence that the Commission has failed to address. The DMA’s implementation is on a collision course with the Commission’s own Cyber Resilience Act (CRA), which requires the same companies to minimize their cyberattack surfaces, deliver secure-by-default products, and bear liability for a product’s security for the entirety of its lifecycle.

These two regulations mandate platform operators to take opposing actions—one requires them to reduce the number of pathways an attacker can exploit, while the other requires them to create new ones.

What the DMA Would Require

Two measures of the DMA contribute to this compliance paradox. Under Article 6(11), search providers would be required to share anonymized ranking, query, click, and behavioral data with any qualifying search engine or AI chatbot at the same frequency with which they access it internally for a period of at least five years. Supposedly, this will be protected by an anonymization framework that relies on frequency filtering and contractual commitments from recipients; however, it is important to note that these approaches bear no technical guarantee against the re-identification of individual users by those with the computational power to perform inference on the data. Furthermore, the recipient list is not limited to European companies, as any qualifying service can request access—including entities outside of EU jurisdiction that do not meet EU data protection standards. This would build data pipelines to weaker security targets and place all sensitive data at risk. These concerns are not abstract from a U.S. perspective, given that diplomats, U.S. military personnel, members of the intelligence community, government contractors, and American tourists in Europe use search platforms daily. Under the proposed measures, their behavioral data will flow into the same loosely vetted pipeline as everyone else’s. A data pipeline is only as secure as its weakest participant, and the DMA’s framework requires no specific security capabilities from its prospective data recipients.

Under Article 6(7), the measures go from data to device hardware itself. Third-party service providers would receive access to voice activation and screen content capture, with the ability to execute across other applications on a user’s device. Under this policy action, real-time screen capture and overlay execution would become standard, available to any app provider. Concerns about DMA interoperability mandates are not new. The DMA would extend interoperability requirements deep into device architecture with cascading security consequences, thereby requiring significant overhauls of core security.

This is the exact opposite of the principle of least privilege, a core tenet of cybersecurity. Any system component should only be able to access the resources needed to execute its specific function. Any mandate that prohibits limiting access by purpose or use case greatly expands the attack surface through regulatory design and puts millions of users’ devices and data at risk.

Why the CRA Makes This Untenable

The CRA is not ambiguous when it comes to security requirements for platforms. Annex I requires products to be designed with minimized attack surfaces, with possible penalties of up to 15 million euros (or 2.5 percent of global turnover) for non-compliance. Device manufacturers bear this responsibility across the entire lifecycle of their products.

The DMA’s competition measures would require those same companies to expand their attack surfaces. Even more problematic is the fact that the Commission’s own data protection body has not finalized any anonymization guidelines as we move full steam ahead to implement binding data-sharing obligations.

Plainly put, the Commission is unable to enforce both positions simultaneously unless it is willing to provide guidance as to which obligation takes precedence when they conflict. The DMA’s current specification proceedings fail to take CRA requirements into account, as different directorates with different mandates developed each measure.

Conclusion

If interoperability and market competition are truly important, then security must be taken into account as well. Setting technical eligibility requirements for data recipients, creating graduated access tiers, and establishing mandatory security baselines are all reasonable considerations that seem to have been overlooked. Beyond this, the Commission must address a question it has avoided thus far: When two of its own regulations directly oppose each other, which one takes precedence? If it does not choose the security measure, then millions of users will bear the consequences of a competition regulation that treats consumer protection as an afterthought.