Italy's Autorità Garante della Concorrenza e del Mercato (AGCM) launched its first investigation under the EU Digital Markets Act on June 16, 2026, targeting what it describes as Apple's exclusive reservation of full-device backup functionality to its own iCloud service on iOS and iPadOS. The probe — conducted in close cooperation with the European Commission, which retains sole DMA enforcement authority — tests whether Apple's control over the backup layer of its mobile operating systems constitutes a denial of equal interoperability to competing cloud providers, in violation of the regulation's Article 6(7).
What the Investigation Targets
The allegation is narrow but carries significant structural weight. Under Article 6(7) of the Digital Markets Act, designated gatekeepers must allow third-party service providers "free and effective interoperability" with the same hardware and software features available to the gatekeeper's own services. For Apple, the AGCM has identified a specific gap: the system-level API that produces a complete device restore point — pulling data from apps, messages, photos, settings, and authentication state into a coherent backup — is accessible only to iCloud. Services such as Google One, Dropbox, or smaller European cloud providers can back up files and selected content, but cannot access the backup framework that enables a full, seamless device restore comparable to what iCloud delivers.
The AGCM's formal position is that Apple's iOS and iPadOS therefore do not grant third-party consumer cloud providers "equal conditions" in accessing the same hardware and software features that iCloud receives. The investigation names Apple Inc., Apple Distribution International Ltd, and Apple Italia S.r.l. as respondents.
The Strongest Case for Intervention
Before evaluating the probe's likely trajectory, it is worth taking the regulators' theory seriously on its own terms. Device backup is one of the most powerful switching-cost mechanisms in consumer technology. A user with years of complete, encrypted iOS backups in iCloud faces meaningfully higher friction when considering a move to Android or a competing ecosystem than a user whose backup situation is portable. If Apple deliberately structured the backup API to be iCloud-exclusive — not because technical constraints required it, but to entrench a downstream subscription service — then it has used gatekeeper control over the operating system to foreclose competition in cloud storage. That is precisely the vertical integration dynamic the DMA was designed to interrupt.
The Commission designated iOS as a gatekeeper platform in September 2023, and added iPadOS on April 29, 2024 — the first ever "qualitative" designation, applied even though iPadOS did not meet the DMA's quantitative user thresholds, because the Commission concluded it constitutes an important gateway for business users. Both designations trigger the Article 6(7) interoperability obligation. If Apple has not extended backup API access to third-party cloud services in the nearly three years since the initial iOS designation, the question of compliance is legitimate.
Where the Probe Gets Complicated
Full-device backup interoperability is not a straightforward API access question. A complete device backup necessarily involves pulling data protected by iOS's Secure Enclave, accessing per-app encrypted storage containers, and handling authentication credentials and health records. Apple's position — that iCloud's deep integration with iOS's encryption chain makes it architecturally distinct from a generic third-party cloud recipient — is not purely pretextual. The DMA itself acknowledges this: gatekeepers may take "strictly necessary and proportionate measures to ensure that interoperability does not compromise the integrity of the operating system," provided such measures are duly justified.
Apple has also stated publicly that concerns about its cloud interoperability approach "were never raised in our extensive discussions with the European Commission on interoperability" — a claim that, if accurate, suggests either a gap in the Commission's prior review process or a deliberate narrowing of its scope. Either way, it does not preclude the AGCM or the Commission from raising the issue now.
The investigation's task is to determine whether Apple's backup exclusivity fits within the DMA's security carve-out, or falls outside it. That is a technical and legal question that cannot be resolved by reciting the regulation's equal-access language alone — it requires an engineering assessment of whether the backup API could be opened to third parties under sandboxing or other security constraints without degrading device integrity.
Italy's Delegated Role and Prior Track Record
The AGCM is exercising authority under Article 38(7) of the DMA, which permits national competition authorities to conduct preliminary investigations on behalf of the Commission. Italy cannot independently impose DMA sanctions; its findings travel to Brussels for any enforcement action. But the AGCM has become a reliable source of Apple-focused regulatory intelligence in recent years. In December 2025, it imposed a €98.6 million fine on Apple for abusing its dominant position in app distribution through the App Tracking Transparency framework, finding that ATT imposed a "double consent" burden on third-party app developers while requiring only a single consent tap for Apple's own apps. That fine is under appeal. The AGCM's pattern — building detailed national-law cases while simultaneously feeding intelligence to European enforcers — reflects a deliberate dual-track strategy.
Enforcement Timeline and Stakes
Public submissions on the investigation may be made until July 31, 2026. The AGCM must complete its preliminary findings by March 31, 2027, at which point the file passes to the Commission. DMA violations can attract fines of up to 10 percent of a company's worldwide annual turnover — a ceiling that translates to tens of billions of euros for a company of Apple's scale. Repeat violations carry potential remedies including structural separation.
A Remedial Design Challenge
What makes this investigation consequential beyond the immediate Apple question is what it reveals about the limits of the DMA's interoperability mandate in security-sensitive contexts. Writing a legally correct equal-access obligation for backup APIs is one thing; writing one that does not introduce new attack surfaces into hundreds of millions of devices is another. If the Commission ultimately requires Apple to open its backup framework, the specification of how third-party cloud services connect to Secure Enclave-protected data will need to be technically airtight, not just legally adequate. Regulators who treat this as a pure equality problem, without engaging the cryptographic architecture, risk mandating openness that creates new vulnerabilities even as it resolves a competitive imbalance. The investigation should be judged not only by whether it reaches a finding, but by whether it produces a remedy precise enough to actually work.