On 8 June 2026, alongside the WWDC26 keynote, Apple said the Apple Intelligence–powered Siri overhaul won’t ship on iOS 27 and iPadOS 27 in the EU at launch. It will, however, reach EU users on macOS 27, visionOS 27, and watchOS 27—no timeline for iPhone and iPad. The stated reason is the Digital Markets Act, and the framing is one we’ve heard before: an “extreme interpretation” of interoperability would force Apple to hand over “nearly unlimited access” to arbitrary third-party assistants, which would dissolve the privacy and security guarantees the platform was built around.

I want to take the security part seriously, because some of it holds up. The trouble starts where the argument stops describing a threat model and starts doing rhetorical work.

What’s actually true

Agentic risk is real, and I don’t think that’s in dispute among people who’ve shipped this stuff. An assistant with broad, autonomous, cross-app action rights, reading and sending messages, making purchases, firing actions across any app, is a much larger attack surface than the API-level interoperability the DMA was originally drafted around. Prompt injection, tool-use hijacking, exfiltration through an over-permissioned agent: these are demonstrated attack classes, not hypotheticals. Anyone who’s spent the last couple of years putting defenses around an agent in production has been fighting exactly these kinds of issues. So Apple is right about the threat. That’s the part worth conceding up front, because everything after it depends on noticing that the threat being real doesn’t get Apple to the conclusion it draws.

The capability is the risk, not the vendor.

The argument runs: this is too dangerous to expose to third parties. But the dangerous thing Apple describes, the autonomous agent that can be hijacked into sending your messages or walking off with your files, exists the moment Siri AI itself has those rights. A prompt-injection payload doesn’t read the developer certificate before deciding whether to fire. It can’t. The risk lies in the capability, not in who signed the binary.

Which leaves two coherent positions and no third one. Either the capability is safe behind a consent-gated, audited broker, in which case it’s safe for everyone going through that broker, Apple included. Or it’s unsafe, in which case Siri AI shouldn’t get ungated access either. “Dangerous when they do it, safe when we do it” describes a brand, not a security boundary, and this is the one place I’ll let that antithesis stand, because it’s the whole argument in five words.

The cross-platform split, which is where I stopped reading it as engineering

Here’s the detail the press release would rather you skim past: the supposedly dangerous capability ships on macOS and is withheld on iOS.

Sit with that for a second against an actual threat model. The Mac executes arbitrary, unnotarized binaries, exposes a full filesystem, and carries decades of real malware history. The iPhone is the hardened one, with per-app permissions, no arbitrary code execution, and the strictest entitlement model Apple ships. If autonomous agentic access were a genuine, platform-independent hazard, the Mac is the last place you’d switch it on first.

So Apple ships the “too dangerous to open” feature on its most exposed platform and holds it back on its most locked-down one. A security risk doesn’t care about the DMA’s gatekeeper designations. Regulatory leverage does. The asymmetry isn’t a sign that engineering tied Apple’s hands; it’s a sign the feature ships freely wherever Brussels has no leverage and stalls precisely where it does. I find this one harder to argue away than the others, and I’ve tried.

There’s a related move worth naming quickly. Apple’s proposed mitigation is a “Trusted System Agent,” an intermediary that allows competing assistants to access the same capabilities in a controlled way. The security instinct is correct; you can mediate access through a broker. But Apple designs, owns, and audits that broker, which keeps Apple the arbiter of how much capability its competitors get to touch. The mediated-access pattern is genuinely the right one. It just doesn’t require the gatekeeper to be the mediator. OAuth-style scopes and the runtime permission systems already in Android and iOS show you can grant scoped, revocable, per-action access without handing over root and without the platform owner sitting inside every rival’s request. A regulator- or standards-specified broker interface provides the same security properties and eliminates self-preferencing.

The company that built App Tracking Transparency now says scoped access can’t be done.

This is the part I keep coming back to. Apple’s entire privacy brand rests on the claim that you can grant narrow, explicit, revocable access safely: per-app location, App Tracking Transparency, scoped photo access, and the permission prompt as a whole design language. Apple is the company that told the industry “all-or-nothing” was a false choice.

The DMA argument asks you to forget all of that. Suddenly, “deep integration” is one switch, fully on or fully off, and opening it to rivals necessarily wrecks the guarantees. But decompose the switch the way Apple’s own permission model already decomposes everything else, read context, draft content, execute reversible actions, execute irreversible ones like payments, each behind explicit, revocable, per-scope consent, and most of the objections drain out. The architecture for this already exists. Apple ships it. That’s what makes the claim hard to take at face value: it’s contradicted by the company making it.

On “indefinitely,” and the precedent nobody at Apple wants cited.

A word on the missing timeline. We’ve seen this episode run before. In 202,4 Apple made a nearly identical DMA argument about Apple Intelligence, withheld the features from the EU, let the frustration build, and then shipped them via iOS 18.4 in March 2025. “Indefinite” lasted about two quarters. Meanwhile, in the parallel Google proceedings, the Commission published a 29-page specification of consent-gated, app-level actions, roughly the opposite of “nearly unlimited.” When one side’s “extreme interpretation” is the other side’s published 29-page spec, the adjectives carry more weight than the facts.

The actual disagreement

To be clear, this isn’t security versus openness. The DMA’s interoperability provision, Art. 6(7), explicitly allows measures that are strictly necessary and proportionate to protect integrity and security. The real question is whether Apple’s safeguards are the minimum necessary or a self-serving maximum, and the law puts the burden of proving proportionality on the gatekeeper, which quietly inverts the “regulators won’t engage” framing.

Two things hold at once. Agentic risk is genuine, and it’s being used as commercial leverage. The first is an engineering fact. The second is what the cross-platform split, the gatekeeper-owned broker, and the 2025 precedent all point at. The job is to hold both without letting a real threat model launder a business decision.

My guess is the feature ships in the EU behind a brokered, consent-gated, capability-tiered access layer that ends up looking a lot like what the Commission is already describing. How many quarters of “indefinitely” we spend getting there is the part I genuinely can’t predict.

Sources: Apple Newsroom (8 Jun 2026); Bloomberg, “Apple Delays Siri AI for iPhone Users in EU” (8 Jun 2026); Engadget; Gadget Hacks. 2024 precedent: iOS 18.4 EU rollout, March 2025 (AppleInsider, RTTNews). Google comparison and 29-page specification: European Commission DMA portal (27 Jan 2026); Reuters (27 Apr 2026); The Next Web (16 Apr & 6 May 2026). DMA Art. 6(7): regulation text.