Does the DMA require direct app downloads?

Android, iOS and Windows have all been designated as gatekeeper operating systems (OSes) under the Digital Markets Act. Amongst other obligations, this means:

The gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper…

Digital Markets Act Article 6(4).

While I initially read this as requiring both direct app downloads and third-party app stores, I can see it can be read as requiring only one of these — as Apple has chosen to interpret this paragraph. This would be an unfortunate interpretation for the “fairness and contestability” of app markets, the goal of the DMA (alongside other “core platform service” markets, such as messaging, web browsers, and search engines).

Curiously, the German-language version uses an “and” rather than “or”. The Act’s (German) parliamentary rapporteur has confirmed his view this provision requires BOTH third-party app downloads and app stores:

Let’s see if the “close scrutiny” of Apple’s DMA compliance promised by Competition Commissioner Margrethe Vestager addresses this point 🧐 Could the English-language Act be clarified with a corrigendum (probably not)? If not, I guess the obligation could be “updated” with a delegated act by the Commission following a market investigation (Art. 12). Interpretation by the Court of Justice might (ultimately) also do the job 👩‍⚖️

Apple cites “security and privacy” reasons for its complex scheme for enabling third-party app stores, but there are ways those issues could be addressed while still allowing direct app downloads (as Apple itself has demonstrated with its app “notarisation”).

These are becoming such frequently-cited reasons to avoid DMA compliance it’s good the European Commission’s Joint Research Centre is hiring five expert researchers to (amongst other tasks) assess these claims. But in the long run, I think there will have to be further institutional mechanisms to find broader consensus on what security/privacy measures are and are not justified (perhaps a Commission-led multi-stakeholder expert group, with the participation of the EU Cybersecurity Agency and the European Data Protection Board?)