Getty Images/iStockphoto

How do competition laws affect Apple's sideloading policies?

The EU's Digital Markets Act has caused Apple to allow sideloading in certain regions. This change could have broader effects on Apple's operations, mobile security and IT teams.

Apple devices offer strong security at the cost of limited options, but the EU's Digital Markets Act could change that for some users.

A defining feature of Apple security is the company's walled garden approach to software and services. For applications, this means iPad and iPhone users can only get apps from the official Apple App Store.

Sideloading is when a user loads an app from a different location than the default mobile option, which in Apple's case is the App Store. With Apple's walled garden environment, the only surefire way for a user to sideload an app is to jailbreak their device, exposing the endpoint to significant security risks.

Apple has maintained tight control over app distribution, citing security and UX concerns. However, recent regulatory pressures are challenging this stance and potentially reshaping the landscape of iOS app installation.

What is the Digital Markets Act?

The Digital Markets Act (DMA) is an EU regulation that came into full effect in March 2024. The act aims to create a fairer and more competitive digital market by regulating "gatekeepers" -- large companies that control critical online services. Multiple vendors make the EU's list of gatekeepers, including Meta, Apple, Alphabet, Microsoft and Amazon.

The DMA requires the gatekeepers to change their business practices to improve access and competition. Key requirements include the following:

  • Open platforms to third parties.
  • Allow interoperability between services.
  • Prevent preferential treatment of the gatekeeper's products over competitors.

Companies that fail to comply with the DMA can face severe penalties, including fines of up to 10% of their annual global revenue.

What changes has Apple made to comply with the DMA?

The DMA has required Apple to make numerous changes to its platform within the EU. These changes apply only to users physically located in the EU with EU-region Apple accounts. Application distribution, payment processing and developer capabilities are the focal points of the adjustments.

Apple has made the following app distribution changes:

  • Sideloading is acceptable as of iOS 17.4, allowing users to install apps from alternative marketplaces.
  • Direct downloads from developer websites are acceptable as of iOS 17.5.
  • When users install from an alternative app store for the first time, they must approve the developer in Settings.

The company has implemented the following payment changes:

  • App developers can use alternative payment providers or external payment links.
  • New business terms include reduced commission rates.
  • Developers must pay a Core Technology Fee of €0.50 per annual install for apps that have reached over a million annual installs in the EU.
  • Developers can choose between existing App Store terms or new alternative terms.

The company has also made the following technical and developer changes:

  • Alternative browser engines are acceptable. Apps and developers are not restricted to Apple's WebKit, which powers the Apple Safari browser.
  • Enhanced API access and interoperability options are available.

What are the broader ramifications of the DMA?

The steps Apple has taken to ensure DMA compliance won't just make sideloading easier for EU users -- the shift will also alter various aspects of the company's overall ecosystem. The DMA's requirements have significant implications for Apple's business model, for example. Affected areas include the following:

  • Revenue. The changes to the App Store's fee structure and the introduction of alternative payment systems could affect Apple's revenue from app commissions.
  • Competitive pressure. The opening up of the ecosystem introduces new competition for Apple's services and app distribution.
  • Compliance costs. Implementing the necessary changes requires significant resources and development efforts from Apple.
  • Fragmentation. Currently, these changes are limited to the EU, creating a disparity between EU and non-EU iOS users.

Other effects could go beyond these areas, from limitations on app features and weakened security to regulation changes in countries outside the EU.

Drawbacks of Apple's new sideloading policies

Some limitations and risks are associated with Apple's DMA compliance. First, Apple has warned that some common capabilities won't work on sideloaded apps. Examples include Family Sharing and Ask to Buy features, as well as certain Screen Time restrictions. Apple's ability to provide support for apps from alternative sources is also limited. This problem is particularly relevant to payment disputes, refunds and security issues.

While complying with the DMA, Apple has expressed concerns about possible security risks:

  • Increased malware risk. Apple warns that users who sideload apps are more likely to have malware on their devices.
  • Data privacy issues. Sideloaded apps might request excessive permissions, which could lead to unauthorized data collection.

However, Apple has implemented new safeguards to mitigate risks, including app notarization and authorization for marketplace developers.

Top mobile security threats: malware attacks, phishing, lost or stolen devices, cross-app data sharing and unpatched OSes.
Unsecured applications can be a source of mobile threats.

Regulatory pressure against Apple in non-EU countries

With the passage of the DMA, users in the EU will have a different experience than users in other parts of the world.

The U.K. has passed the Digital Markets, Competition and Consumers Bill, which is similar to the DMA in many respects. South Korean legislators also introduced a DMA-like framework called the Platform Competition Promotion Act in 2020. The government subsequently withdrew the bill, but reintroduction is still on the table, along with other proposed digital competition policies.

Instead of passing new regulations, the U.S. has used existing antitrust laws to take aim at Apple.

The U.S. government has taken a different approach than the EU. Instead of passing new regulations, the U.S. has used existing antitrust laws to take aim at Apple. In recent years, the Department of Justice and the Federal Trade Commission have increased antitrust investigations and lawsuits against tech firms, including Apple.

With this in mind, it's a good idea for IT leaders to evaluate the DMA's effect in the EU, regardless of their location. Apple might implement the same changes globally in the future.

How Apple's DMA compliance changes might affect IT

The changes the DMA mandates will affect IT teams and their end users. Potential consequences, both negative and positive, include the following:

  • Increased security risks. The introduction of sideloading and third-party app stores increases the risk of malware and other threats. IT will need to be more vigilant about the apps installed on corporate devices, as users might have access to less regulated app sources.
  • Fragmented app ecosystem. With multiple app marketplaces and distribution channels, IT teams might have a hard time managing and securing a more diverse range of apps.
  • Compliance complexity. IT teams will need to navigate new compliance requirements, especially for organizations operating in both EU and non-EU regions.
  • More choice. The DMA changes give IT more flexibility and choices for deploying apps that best suit organizations' needs.
  • Possible cost savings. Alternative app marketplaces and payment systems might reduce costs associated with app procurement and subscriptions.

The DMA-compliant app distribution model creates both security risks and opportunities. IT teams must develop flexible security strategies, update policies and strengthen user education to protect their organizations within this more open mobile ecosystem.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Dig Deeper on Mobile operating systems and devices