Security at Risk: How Today’s DMA Enforcement Risks Leaving Europeans Vulnerable to Spam and Scams
Main takeaways
- The way in which the Digital Markets Act (DMA) currently is being enforced risks limiting tech companies’ ability to protect users from deceptive content
- Surveys show 81% of EU consumers oppose regulations that force search engines to give low-quality or scammy content higher visibility
- Forcing search engines to stop ‘discriminating’ against spam to ensure market fairness effectively provides an incentive for large-scale abuse by scammers
This May marks three years since the EU’s Digital Markets Act (DMA) came into force. While the DMA was supposed to promote ‘contestability’ and ‘fairness’ in digital markets by curbing so-called ‘gatekeeper’ companies, a troubling gap is emerging between regulatory theory and how the European Commission’s enforcement of the DMA is affecting internet users in practice.
A new study by Kati Suominen, founder and CEO of Nextrade Group, (‘Trust, Safety, and Competition: How the EU Commission’s DMA Enforcement Risks Undermining the Security of Europe’s Internet’) tackles a question that is often sidelined in Brussels policy debates: Does current enforcement of the DMA risk unintentionally limiting the ability of tech companies to protect users from spam, scams, and other deceptive content?
1. The paradox of anti-spam enforcement
The impetus for Suominen’s study was a recent DMA investigation by the Commission into Google’s Site Reputation Abuse Policy (SRAP). Google introduced this policy specifically to filter out ‘parasite SEO’ from search results – a practice where bad actors intentionally hijack the reputation of high-authority, trusted websites, and domain names (like those of universities, governments, or major news outlets) to rank low-quality affiliate content or malware at the top of search results.
Paradoxically, the Commission is now investigating these very anti-spam measures that were introduced to protect European users as potential violations of the DMA. As Suominen highlights in her study, this creates a Catch-22 for online platforms: when protecting users from scams, they risk getting fined under the DMA, but if they lower their defences to comply, platforms could violate other major EU rules such as the Digital Services Act (DSA) by exposing users to systemic risks.
The threat of parasite SEO is far from theoretical. The study details several active malware campaigns like Gootloader and Oyster that are already targeting European businesses and IT administrators. These malicious operations compromise poorly secured websites to inject fake discussions or software installers that steal people’s credentials and passwords.
2. Europeans’ trust in the internet at stake
The stakes of this regulatory conflict are pretty serious because Europeans currently trust the internet significantly more than their global peers. Suominen’s research found that 64% of Europeans agree they “trust the internet,” a figure much higher than in Africa, Asia, or North America.
This strong level of confidence is not accidental; it relies heavily on Europeans’ expectation that online platforms and governments will actively protect them from disinformation and illegal content. By suddenly treating essential security protections as competition issues, the Commission thus risks eroding the very foundation of Europeans’ trust in the internet.
If DMA enforcers decide to force search engines to stop ‘discriminating’ against these types of malicious, misleading, or spammy content to ensure ‘fairness’ they effectively incentivise large-scale abuse by spam networks and scam operators. This is particularly concerning given that malware incidents continue to triple globally.
Beyond search results, the study looks at other DMA-mandated requirements that may enlarge the European ‘attack surface’ for cybercriminals, such as the obligation to permit ‘sideloading.’ This requirement forces gatekeepers to allow the installation of apps on devices from sources outside official app stores, potentially creating entry points for malicious actors and bypassing the security safeguards users depend on to protect themselves against unsafe applications.
3. What consumers actually want
One of the most striking data points cited by the Nextrade study is that European consumers actually are strongly against such outcomes. A staggering 81% of EU consumers oppose any regulation that would force search engines to give low-quality or ‘scammy’ content higher visibility, and 78% explicitly want search engines to actively filter out spam – even if it comes from major news outlets.
Simply put, European consumers understand the internet ecosystem and do not want any form of DMA enforcement that forces online platforms to open up their systems in ways that lead to more scams or misleading content in search results. The data shows that 75% of users agree search engines should punish problematic articles, even when such actions hurt the hosting website’s traffic.
Conclusion
As the European Commission prepares for the upcoming DMA review in May, it is essential that these crucial security implications are moved to the forefront of the discussion in Brussels.
Europe’s cyber resilience would greatly benefit from the introduction of a ‘security-first’ principle in DMA enforcement, which should include exemptions for gatekeepers when technical evidence shows that specific obligations undermine user safety. Furthermore, a ‘safe harbour’ could be established for anti-spam measures, so that interventions targeted at deceptive content are deemed lawful when based on objective indicators.
The DMA was meant to empower Europeans, not take a step backwards and suddenly leave consumers to navigate and vet online content with less protections than before. It is time for a balanced approach to DMA enforcement that ensures competition policy never overrides security features that consumers benefit from.
