The Digital Markets Act entered application in 2023, and that September the European Commission designated its first "gatekeepers," the platforms large enough to carry special obligations. Meta's WhatsApp and Messenger made the list. Apple's iMessage, after a market investigation, did not: the Commission concluded in February 2024 that iMessage is not an important gateway for business users in the EU, so the interoperability duty never attached to it.
Article 7 of the DMA is the messaging provision. A designated gatekeeper must offer interoperability to any messaging service that requests it: one-to-one text and file sharing first, group chats within two years of designation, voice and video calls within four. And the obligation comes with a security clause that makes it unlike any previous interop mandate: the gatekeeper must preserve the level of security it offers its own users, "including end-to-end encryption, where applicable," across the interoperable link.
That clause is why this experiment matters beyond Brussels. Regulators have forced networks open before (telephone numbers, SMS, email all interoperate by mandate or by history), but every previous opening happened on unencrypted infrastructure. The DMA is the first attempt to force openness and keep end-to-end encryption at the same time.
Meta's answer: a reference offer
Meta's compliance mechanism is a published reference offer: a contract and a technical onboarding process that a third-party messenger signs to connect to WhatsApp or Messenger in the EU. The architecture Meta described keeps its own protocol at the center. Third parties connect their clients to WhatsApp's server infrastructure and are expected to use the Signal protocol for the encrypted payloads, or demonstrate that their alternative provides equivalent guarantees. Meta's servers route the ciphertext; the encryption terminates in the clients.
In 2025 the first two companies actually crossed the bridge: BirdyChat and Haiket, both small European messengers, became the first third-party services to begin interoperating with WhatsApp under the offer. Their users can message WhatsApp users without installing WhatsApp. As adoption proof this is modest. As an existence proof it is significant: a company without Meta's resources can complete the process, which was a genuinely open question when the offer was published.
Why Signal and Threema said no
The two best-known privacy-focused messengers both declined to request interoperability, publicly and early. Their reasoning is worth taking seriously because it is a privacy argument against a policy that was partly sold as pro-user.
- Metadata concentration. Under the reference-offer architecture, messages to WhatsApp users flow through Meta's servers. The content is end-to-end encrypted, but the metadata (who talks to whom, when, from where) accrues to the gatekeeper. A service built to minimize what it knows about its users would be routing its users' social graphs into the largest data-collection operation on earth.
- Lowest-common-denominator features. Interop covers the basics. Disappearing-message semantics, safety-number verification, and abuse-reporting mechanisms differ between apps, and a cross-service message gets whichever guarantees survive the intersection.
- Accountability for the other side. When something goes wrong for a user (spam, stalking, a compromised endpoint), each provider can only fix its half of the conversation.
You do not have to agree with the refusals to see the point: interoperability transfers some control over your users' security posture to the network you connect to. For a service whose entire value is its security posture, that is an expensive trade.
Cross-service messaging needs cross-service identity: some way for your app to discover that a WhatsApp user exists and fetch their keys, without either service handing its user directory to the other. Every current design leans on phone numbers, with all the problems phone-number identity already has inside a single service. Key verification across providers (who vouches that this key belongs to this person?) is even less settled. See our piece on key transparency for the direction the answers are likely to come from.
The standards path: MLS and MIMI
The reference offer is bilateral: every third party integrates against Meta, one contract at a time. The multilateral version of this idea lives at the IETF, in two building blocks. Messaging Layer Security (RFC 9420) standardizes the hard cryptographic core, group key agreement, so any two conforming implementations can share an encrypted group. On top of it, the MIMI working group (More Instant Messaging Interoperability) is specifying what the DMA does not: a common content format, delivery semantics, and consent rules for messaging between providers, so that interop becomes a protocol you implement rather than a contract you sign with each gatekeeper.
MIMI's documents are still drafts, and drafts are not products. But this is the same maturation path that gave email SMTP and gave the web TLS: a regulation created the demand, and a standards body is building the durable answer. If cross-provider encrypted messaging becomes ordinary in the 2030s, it will almost certainly run on MLS with MIMI or a descendant of it, not on a pile of bilateral contracts.
What it means for you
Three practical readings, depending on who you are:
If you use WhatsApp in the EU: third-party chats are opt-in and clearly labeled, and Meta states that end-to-end encryption is maintained for them. The caveats are the ones above: cross-service conversations carry the intersection of both apps' protections, and features like disappearing messages may behave differently than you expect across the boundary.
If you use a privacy-first messenger: nothing changed without your provider's consent, and the providers most focused on metadata minimization have so far declined. That is them exercising exactly the judgment you pay them (or trust them) for.
If you care about the ecosystem: watch the group-chat deadline. One-to-one text was the easy case. Encrypted group interop at WhatsApp's scale is a much harder cryptographic and moderation problem, and it is where the "encryption preserved" clause will be genuinely tested against the group messaging state of the art.
Haven sits on the standards side of this story: our group chat already runs on MLS, the same RFC the interop future is being built on, and we follow the MIMI work closely as implementers. Not because a regulator told us to, but because a messenger you can leave, with your conversations intact, is a better product than a walled garden. The DMA's real achievement may be making that position economically viable.