Two Irreconcilable Versions
On June 8, 2026, the same day as the keynote that introduced Siri AI to the world, Apple posted a release on its Newsroom that isn’t a release. It’s an indictment dressed up as a product note. The headline says that, because of the Digital Markets Act, Siri AI will be delayed in the European Union for iOS 27 and iPadOS 27. The text, written effectively in Craig Federighi’s voice, says the company is deeply disappointed, that European regulators refused to engage constructively, that the solutions Cupertino proposed preserved privacy and security, and that Brussels rejected them. The implicit conclusion every European user is invited to draw is that Europe demands less secure products and that Apple, heroically, refuses to build them. On privacy, we don’t bend.
The next day, Commission spokesperson Thomas Regnier replied from Brussels with a sentence worth reading slowly: the decision not to bring Siri AI to the Union is Apple’s, and Apple’s alone. According to the Commission, the company failed to develop interoperability solutions compliant with European privacy and security standards, and instead of seeking a path to compliance it asked to be exempted wholesale from its obligations. Request denied—because an exemption on demand isn’t an option anyone ever wrote into the law.
Two versions of the facts that can’t both be true. And before deciding which to believe, I want to do something this debate rarely does: take Apple’s version seriously. Not out of courtesy, but because if you dismiss it too quickly you lose the real technical point underneath, and with the technical point you also lose any chance of understanding why Cupertino’s framing, while it rests on a genuine problem, is intellectually dishonest.
The Technical Problem Is Real
Start with the real problem. The DMA imposes interoperability obligations on gatekeepers: if Siri AI can reach certain system functions, third-party virtual assistants must be able to reach them too, on fair terms. For a USB connector or default browser choice, the obligation is trivial to implement, and the prophecies of doom that came with it turned out, on schedule, to be theater. For a next-generation AI assistant, it’s not. Siri AI, as shown at WWDC26, is an agent that sees the screen, reads messages, accesses files, and takes actions inside apps and across them. Extending that level of access to any third-party assistant means multiplying the attack surface of a device that holds its owner’s entire life. And it means doing so at a moment when research on the security of agentic systems is telling us something uncomfortable: prompt injection is not a bug you fix with a patch, it’s a structural property of language models that execute instructions contained in the data they process. Anyone who works with these systems daily knows it. An agent with access to the screen and the messages, manipulated by a well-crafted piece of hostile content, is a perfect data exfiltrator. Apple is right when it says the problem exists. It’s right when it says the problem is serious. And it’s right, I’ll add, when it observes that the Commission asserts with confidence that a compliant solution exists without ever having had to design one.
There’s more. The objection Cupertino’s engineers might raise to their critics, me included, runs roughly like this: you talk about competition and markets, we talk about the threat model. The iOS security model works because there is a single root of trust, a single party answerable for the entire stack, from the silicon up to the enclave that guards the keys. Every additional party granted privileged access is a link that can fail, and when it fails Apple isn’t the one held to account—but the harm lands on Apple’s user. This objection is not propaganda. It’s a coherent security architecture, and it’s also, historically, one of the reasons the iPhone is a more expensive target to compromise than almost any other consumer device. Anyone writing about this affair while pretending the objection doesn’t exist is cheering, not analyzing.
The Geography of Risk
And yet. It’s precisely here, at the point where Apple’s argument is strongest, that you have to look at what the company does, not what it says. Because this week’s facts contain at least three details Cupertino’s release would rather not light up, and each of the three cracks the martyrdom story.
The first detail is the geography of risk. Siri AI won’t reach European iPhones and iPads, but it will reach European Macs and Vision Pros. I’ll be told, rightly, that there is a difference: only on iOS and iPadOS, the designated core platform services, does the DMA force Apple to open that agentic access to third-party assistants too, and it’s that opening, not Siri itself, that Apple invokes as the danger. True. But this is exactly where you have to look at what Apple calls a risk. On the Mac, which holds twenty years of documents, Siri AI walks in without a flinch, because there Apple stays the only one holding the keys to the gate. On the iPhone it stops, because there it would have to hand a copy of the key to competitors. The danger, then, doesn’t track how sensitive the user’s data is—on that score the Mac is worse off—but who holds the keys. When the perimeter of a privacy danger lines up to the millimeter not with the sensitivity of the data but with the exact point where Apple ceases to be the sole keyholder, the danger has stopped being an engineering assessment and become an argument about control.
The Impossible Problem, Already Solved Once
The second detail sits in the back room of the new Siri, and it has to be described precisely, because this is where the propaganda on both sides tends to simplify. The brain of the assistant shown at WWDC26 is a custom Gemini model of over a trillion parameters, supplied by Google under a deal reported at around a billion dollars a year. Apple runs it inside its own Private Cloud Compute, with hardware-isolated enclaves and third-party-verifiable guarantees, and when the heaviest reasoning loads have to reach Google’s infrastructure, the queries are anonymized and severed from the user’s identity before they leave, with a contractual ban on Google using them to train its own models. It’s a serious architecture, probably the most sophisticated mediation between an operating system and a third-party model ever built. And that is exactly the point. Apple has just demonstrated, on a planetary scale, that an outside party’s access to the most intimate capabilities of its ecosystem can be engineered without sacrificing the user’s privacy, through a trusted intermediary and inspectable contractual constraints. Which is, to the letter, what the DMA asks it to offer other assistants—and what the company calls impossible. The unsolvable problem was solved, once, for the one partner Apple chose for itself, on the terms Apple dictated and with the benefits Apple collects. The difference between the feasible and the impossible, in this story, doesn’t run through engineering. It runs through who signs the contract.
Who Seeks Compliance, Who Asks for an Exemption
The third detail is procedural, and it’s the one Regnier’s reply makes devastating. Apple says it designed a Trusted System Agent, an intermediary that would have let third-party assistants reach the same capabilities as Siri in a controlled way, with a gradual rollout over eighteen months, and says the Commission said no. The Commission tells a different sequence: Apple presented no compliance solution judged adequate and asked, as its primary request, to be exempted from the interoperability obligations for at least eighteen months. I don’t have the documents from the regulatory dialogue, and neither does any of the commentators handing out certainties right now. But I notice one thing: of the two parties, one carries the legal duty to comply and a billion-dollar interest in not doing so, and the other has already walked through this exact script. Because we’ve seen this film before. June 2024: Apple Intelligence, iPhone mirroring, and screen sharing were announced as impossible in Europe because of the DMA, in the same vocabulary of compromised security. Then the biggest piece, Apple Intelligence, arrived—April 2025, unchanged. AirPods Live Translation, declared hostage to the DMA in September 2025, arrived in December. iPhone mirroring is still missing today, and that should be said. But the mortal danger, in the cases that matter, turns out to be negotiable the moment the negotiating leverage has done its work. A company that cries wolf on this cadence should enjoy a shrinking line of credit, not a sympathetic op-ed with every new release.
The Asymmetry Nobody Names
Here the argument has to widen, because reducing this affair to a regulatory dispute means not seeing it. My own line of work is a small one by comparison: I design and have software built for healthcare and public administration, in a small company in central Italy. When a clinical platform has to expose health data to third-party regional systems, the requirement we receive is exactly what the DMA puts to Apple: interoperability without compromising confidentiality and security. No client, faced with the sentence “it can’t be done securely,” has ever accepted it as a final answer. That sentence, where I work, is the start of the engineering, not its conclusion. You do threat modeling, you design authorization layers, you segment, you log, you submit everything to independent review, and in the end the system interoperates and the data stays protected, because the constraint was treated as a specification and not as an injustice. The difference between my company and Apple isn’t that we’re better—that would be ridiculous to claim. It’s that we don’t have the option of asking for an exemption. Compliance, for anyone below a certain threshold of power, is a condition of existence. Above that threshold it becomes, evidently, a bargaining position. This asymmetry is the real scandal of the week, and almost no one names it.
Two Words Under One Name
Then there’s the central rhetorical trick, the one holding up the entire release, and it deserves to be taken apart calmly. Apple uses the word privacy to mean two different things and counts on the reader not telling them apart. The first is the user’s confidentiality with respect to third parties: greedy apps, data brokers, criminals, hostile governments. On this terrain Cupertino’s track record is genuinely better than the industry average, and it’s the source of its credibility. The second is Apple’s position as the sole arbiter of what enters and leaves its devices. The DMA doesn’t touch the first. It touches the second. It doesn’t ask Apple to protect users less, it asks Apple not to be simultaneously the guardian of the platform’s security and the direct competitor of anyone requesting access to the platform. Because that’s the conflict of interest the regulation exists to defuse: the party that decides what’s safe enough to get in is the same party that loses market share every time something gets in. Calling the defense of that position privacy is a brilliant semantic maneuver, and anyone who works in technology has a duty not to fall for it. The privacy Apple defends so fiercely is always the user’s privacy from others, never the user’s privacy from Apple, and it never stretches as far as the user’s right to decide that their preferred assistant isn’t Cupertino’s. The garden wall protects whoever is inside, sure. But the gardener isn’t a charity, and the wall first of all marks out his property.
The Press Release as Ammunition
And here we reach the layer the Italian tech debate tends to suppress out of Atlanticist tact, and which instead has to be faced head-on: this announcement doesn’t land in a vacuum. It lands in the middle of a pressure campaign—documented and openly declared—that the U.S. administration is running against Europe’s digital regulatory framework. This isn’t speculation, it’s the record, with dates and signatures. In August 2025 President Trump threatened tariffs and export controls against countries whose rules “discriminate,” his word, against American tech companies, unilaterally reopening the fight days after the tariff deal Brussels had sold as commercial peace. In December 2025 the Office of the Trade Representative formalized the threat of retaliation if the Union keeps applying the DMA and the DSA against big tech, naming European companies like SAP, Spotify, Siemens, and Mistral as possible targets. According to Reuters, the administration even weighed individual sanctions against the European officials responsible for enforcement; in December the weighing became practice, with U.S. entry bans for former commissioner Thierry Breton and four leaders of anti-disinformation organizations, accused of “censorship”—treatment we’d have associated, until yesterday, with judges in countries under authoritarian rule. And in April 2026 the Commission confirmed it had opened a dialogue with Washington on digital technologies and markets to “clear up misunderstandings,” a channel twenty-three European civil-society organizations denounced as a doorway for American influence inside the enforcement phase of laws already in force. The fines handed down in the meantime—€500 million to Apple under the DMA, €200 million to Meta, €120 million to X under the DSA—are officially both the proof of persecution and the pretext for reprisal.
Inside this picture, Cupertino’s release stops being a product release and reveals its function. I’m not claiming there’s coordination between Apple and the White House; I have no proof, and suspicion isn’t an argument. I’m claiming something more verifiable and in some ways worse: that the announcement, whatever its intent, operates as ammunition inside that campaign, and that Apple knows it. When a company worth four trillion in market cap tells 450 million Europeans that their phones will be deliberately less capable because of their elected representatives, it is practicing a form of political pressure that has no settled name and that I’d propose calling lobbying by deprivation. It doesn’t bribe and it doesn’t threaten: it withholds. It turns the consumer into a hostage and invites them, in a grieving tone, to blame the wrong kidnapper. It’s a refined technique because it externalizes the conflict: it’s no longer Apple against the Commission, it’s the angry user against Brussels, multiplied across millions of posts and bar-stool conversations. The political cost of enforcement gets loaded onto the shoulders of the very people enforcement is meant to protect. And it works, at least in part: just read the comments under any Italian article on the affair to find European citizens demanding the repeal of a law written to give them back bargaining power. Hybrid war, when it’s done well, recruits its troops from among the targets.
Hybrid War, Literally
I use the phrase hybrid war aware of its weight, and precisely for that reason I have to defend it against the charge of being hyperbolic. Hybrid war means pursuing strategic objectives with tools that stay below the threshold of declared conflict: economic pressure and the manipulation of public opinion, made effective by exploiting the adversary’s infrastructural dependencies. Each of these tools is observable, today, in the relationship between Washington and Brussels over digital policy. Tariffs used explicitly as leverage against EU laws in force are economic pressure in the service of regulatory aims. The campaigns painting the DSA as censorship, rebutted point by point by the Commission and relaunched unchanged the next day, are operations on public opinion. And Europe’s dependence on American cloud, operating systems, and foundation models is the condition that makes the first two effective, because you can’t trade blow for blow with the party that runs the infrastructure on which you’re writing your reply. That the companies involved are private and the administration is an elected government doesn’t change the structure of the phenomenon: it changes only our willingness to recognize it, schooled by decades in which American technological hegemony was told to us as natural destiny and even as a favor.
Europe Is Not the Immaculate Victim
Intellectual honesty requires, at this point, turning the same skepticism toward home. Europe is not the immaculate victim of this story, and anyone who tells it that way does Europe a disservice. The European regulatory framework suffers from an original sin the Draghi report put in black and white: we regulate markets we didn’t build, and regulation without industrial policy risks being the orderly management of one’s own irrelevance. There’s no European AI assistant that could benefit from the interoperability imposed on Apple—or rather there are embryonic ones, and the bitter irony is that among the immediate beneficiaries of the DMA’s obligations would be mostly Google and Meta, that is, other American gatekeepers. Enforcement itself shows cracks: the Commission’s willingness to open the April dialogue with Washington, while the USTR threatens retaliation, suggests that the proclaimed firmness coexists with a very concrete fear of paying the price of firmness. And on the technical plane the most serious question stays open: if there really were, today, no sufficiently secure way to grant third parties the agentic access Siri AI reserves for itself, the DMA would be asking the impossible—and a law that asks the impossible produces exactly this kind of stalemate. I don’t think that’s the case, for the reasons given above, first among them the Gemini precedent. But anyone defending the European framework has to keep this door open, because the difference between a conviction and a faith lies in the list of things that could make you change your mind.
Constraint Is Generative
That said, there’s a precise reason why, forced to choose where to stand, I stand with the regulator, and it’s a reason that comes from the craft before the ideology. In recent years I’ve spent a disproportionate amount of my time inside the European acronym soup, among data protection impact assessments, cyber resilience requirements, accessibility obligations, AI Act adjustments for platforms operating in clinical and administrative contexts. I know the cost of these rules in the most direct way possible: I put it in the quote, and sometimes I eat it. And I’ve come to a conviction I’ve defended elsewhere and that this affair confirms: in engineering, the constraint is generative. The best systems I’ve watched get built were born inside requirements that at first looked oppressive, because the oppressive requirement forces you to actually understand the problem instead of routing around it with power. An architecture that knows how to expose health data to third parties without betraying the patient is a better architecture than one that simply doesn’t expose it. An AI assistant that knows how to coexist with competitors on the same device, inside a verifiable permissions model, would be a safer assistant than one protected by monopoly, because security that depends on exclusivity isn’t security, it’s rent with good public relations. Apple has the best engineers on the planet and four trillion reasons not to put them on this problem. The Commission, by saying no, took away the comfortable alternative. We’ll see, at the next iteration of this script, whether the impossible problem stays impossible.
Now What?
There remains one last question, the one the European reader takes home along with their less capable iPhone: now what? The temptation is to answer with the list of things Europe should do and won’t. I prefer a smaller, more workable answer, one that concerns the reader. The next time a company tells you it can’t give you something because of a law that protects you, apply the test we applied here: look at where the declared danger coincides with the legal obligation, and look at what the company has already granted when it was the one dictating the terms. Then ask yourself who sought compliance and who asked for an exemption. The clash staged this week doesn’t pit privacy against regulation: it pits two ideas about who has the right to define trust—a company for its customers, or a political community for its citizens. And a continent that left that definition to a Cupertino press release, however elegantly written, wouldn’t have lost a voice assistant. It would have lost its voice.
Key takeaways
The technical problem is genuine: extending the agentic access Siri AI reserves for itself—screen, messages, files, in-app actions—to any third-party assistant multiplies the attack surface, and prompt injection is not a bug you patch but a structural property of language models that execute instructions buried in the data they process. Anyone pretending the objection doesn’t exist is cheering, not analyzing.
The geography of risk betrays the story: Siri AI ships to European Macs and Vision Pros but not to iPhones and iPads. Apple will say the DMA forces it to open access to third parties only there, and that’s true; but the danger it invokes lines up to the millimeter not with how sensitive the data is—a Mac holds more of it—but with the exact point where Apple stops being the sole keyholder. That’s an argument about control, not about privacy.
The problem declared impossible has already been solved, once: Apple runs a custom Gemini model of over a trillion parameters inside its own Private Cloud Compute, with anonymized queries and inspectable contractual constraints. That is exactly the architecture the DMA asks it to offer other assistants. The line between feasible and impossible, in this story, doesn’t run through engineering. It runs through who signs the contract.
It has happened before: June 2024, Apple Intelligence announced as impossible in Europe because of the DMA, then shipped unchanged in April 2025; September 2025, AirPods Live Translation declared hostage to the regulation and released in December. A company that cries wolf on this cadence deserves a shrinking line of credit, not a sympathetic op-ed with every new release.
Beneath the regulatory dispute sits the hybrid war: tariffs used explicitly as leverage against EU laws already in force, retaliation threatened by the USTR, even a U.S. entry ban for a former European commissioner. Cupertino’s release, whatever its intent, works as ammunition and turns the consumer into a hostage, inviting them to blame Brussels. It is lobbying by deprivation.
Questions & answers
Why does Apple say it can't bring Siri AI to Europe?
On June 8, 2026 Apple published a release blaming the Digital Markets Act for postponing Siri AI on iOS 27 and iPadOS 27 in the European Union. The implicit argument is that the DMA’s interoperability obligations—which require opening the same system functions granted to Siri to third-party assistants—would force Apple to build less secure products, and that the company refuses to do so. The next day the Commission replied that the decision is Apple’s and Apple’s alone, and that the company, instead of looking for a path to compliance, asked to be exempted wholesale from its obligations.
Is the security risk Apple invokes real or a pretext?
It is real, and worth taking seriously. Siri AI is an agent that sees the screen, reads messages, accesses files, and performs actions inside apps. Extending that level of access to any third-party assistant multiplies the attack surface, and prompt injection is not a bug you patch: it is a structural property of language models that execute instructions buried in the data they process. The problem exists. But existing isn’t the same as being unsolvable, and Apple’s own behavior—solving it for its own partner, denying it to everyone else—suggests the pretext is the framing, not the risk.
What does Google's Gemini model have to do with all this?
The brain of the new Siri is a custom Gemini model supplied by Google, which Apple runs inside its own Private Cloud Compute with hardware-isolated enclaves; when queries reach Google’s infrastructure they are anonymized and severed from the user’s identity, with a contractual ban on using them for training. It is one of the most sophisticated mediations ever built between an operating system and a third-party model. And it is, literally, the architecture the DMA asks Apple to offer other assistants too—the one the company calls impossible. The unsolvable problem was solved for the one partner Apple chose for itself.
What does it mean that the release is ammunition in a hybrid war?
It means that, whatever its intent, the announcement operates inside a documented pressure campaign the U.S. administration is running against Europe’s digital regulatory framework—tariffs used as leverage, retaliation threatened by the USTR, an entry ban imposed on a former commissioner. When a four-trillion-dollar company tells 450 million Europeans that their phones will be deliberately less capable because of their elected representatives, it is practicing a form of political pressure I’d propose calling lobbying by deprivation: it doesn’t bribe and it doesn’t threaten, it withholds—and it invites the consumer to blame the wrong kidnapper.
The author
