The aims of the App Store Freedom Act are understandable: widening choice, reducing entrenched gatekeeping, and giving developers greater commercial latitude. However, by introducing sweeping interoperability and access obligations without the safeguards and sequencing that underpin similar UK and EU regimes, the proposed law risks establishing a framework that is less secure, less proportionate, and substantially more overreaching than its international counterparts.
These concerns are especially pronounced in the area of security. As drafted, the law would create vulnerabilities by imposing expansive access mandates without the procedural or technical protections that typically accompany such obligations in European jurisdictions. For example, it mandates side-loading and unusually broad access to system-level interfaces, yet provides none of the safeguards built into the European Union’s Digital Markets Act (DMA) or the United Kingdom’s Digital Markets, Competition and Consumers (DMCC) Act.
In practice, compelling platforms to grant access to any interface they use internally risks exposing biometric authentication tools, encrypted messaging layers, secure enclaves, and even contactless-payment systems to unvetted actors—precisely the components that underpin mobile system security and user protection. Without a mechanism for constraining high-risk access, these duties could open the operating system’s most sensitive layers to compromise. Interoperability can be beneficial, but only when paired with clear technical boundaries and proportionate risk-management obligations.
European frameworks recognise these risks and include tightly defined security exceptions—reinforced by necessity and proportionality standards—that seek to preserve the integrity of core system functions. Under Article 6(4) of the DMA, companies may restrict access where they demonstrate that third-party access would endanger the integrity of the hardware or operating system—and only to the extent strictly necessary and proportionate. In the absence of comparable safeguards, the App Store Freedom Act would weaken the protections that underpin the system’s security architecture.
A further difficulty is the absence of a designation process or proportionality assessment. Unlike the EU and UK approaches, the App Store Freedom Act applies sweeping obligations automatically, based solely on user numbers and operating-system control. More specifically, as set out in Section 6(4), the Act imposes these duties on any company that owns or controls the operating system and meets the statutory user-threshold of more than 100 million U.S. users, and it does so without any inquiry or opportunity to contest its applicability. The EU and UK frameworks rely on these procedural safeguards because they allow regulators to calibrate measures to the scale and nature of specific problems. By contrast, under the proposed law, the United States would adopt a one-size-fits-all approach that risks imposing heavy structural duties irrespective of context.
The bill also seeks to embed detailed technical obligations directly in primary legislation, rather than situating them within a regulatory framework that uses delegated authority or iterative rule-making to adjust obligations as technologies evolve. In contrast, the EU and UK approaches provide for greater adaptability—through delegated acts in the EU, and through interpretive guidance and evolving rule-making and conduct-setting mechanisms in both jurisdictions—that allow regulators to refine obligations over time. This flexibility is essential in an environment where operating-system architectures, security standards, and distribution models are changing rapidly—not least with the emergence of AI-mediated interfaces and new device categories. Fixing detailed requirements in statute risks creating a rigid framework that will struggle to adjust to new technological developments and emerging risks.
Taken together, these shortcomings reflect a deeper structural issue. The Act borrows the vocabulary of European ex ante regulation but omits the procedural discipline, security safeguards, and adaptive mechanisms that make those regimes internally coherent. The resulting obligations may appear familiar but lack the evidentiary standards, proportionality assessments, and institutional guardrails needed to avoid unintended consequences. Without these foundations, the proposed law risks creating security vulnerabilities and regulatory uncertainty and establishing an interoperability framework that struggles to adapt as markets and technologies evolve. A more coherent and proportionate approach is essential if the aim is to broaden competition and choice without compromising the stability and security of the wider mobile ecosystem.