EU DMA Probes AWS and Azure as Cloud Gatekeeper

The European Commission has formally opened three inquiries under the Digital Markets Act (DMA) that together mark the most serious regulatory scrutiny of cloud infrastructure yet: two focused market investigations into Amazon Web Services (AWS) and Microsoft Azure, and a third horizontal probe to assess whether the DMA’s gatekeeper toolkit can meaningfully be applied to cloud computing at scale.

Background / Overview​

Cloud infrastructure has become critical economic and strategic infrastructure for governments, banks, healthcare, telcos and web-scale platforms. A tiny number of hyperscalers—chiefly Amazon, Microsoft and Google—now control the bulk of public-cloud capacity and managed services worldwide. That concentration has drawn growing attention from national regulators and from Brussels. The Commission’s move to open formal market investigations into AWS and Azure, together with a third study to evaluate the DMA’s fitness for cloud, signals a determination to treat cloud not merely as a commodity input but as a possible locus of “gatekeeper” power with systemic consequences.
The DMA was designed as an ex‑ante framework to impose obligations on digital platforms that act as intermediaries between businesses and end users—so‑called “gatekeepers.” Typical obligations include non‑discrimination, interoperability and data‑portability measures, backed by powerful enforcement tools and fines. But the DMA’s quantitative thresholds and metrics (for example, active users and EU turnover) were written with consumer‑facing platforms in mind, not enterprise infrastructure contracts or IaaS control planes. One central question Brussels now faces is whether the DMA’s yardstick can be mapped onto cloud offerings or whether a tailored regulatory approach is necessary.
The Commission has indicated it expects to complete the investigations within roughly 12 months, an expedited timeframe for market inquiries of this complexity. Microsoft has publicly stated it will cooperate with the probe.

---

What the Commission is actually investigating​

1. Gatekeeper designation for cloud services​

At the heart of the inquiry is the functional question: do cloud infrastructure services perform the same gatekeeping role as app stores, search or marketplaces? The DMA’s designation test is both quantitative and qualitative: a provider meeting threshold metrics can then be assessed for gatekeeper behavior—ability to control access and to influence downstream markets. Brussels will evaluate whether specific cloud services or provider offerings effectively control essential access between business customers and end users in ways that foreclose competition or enable self‑preferencing.

2. Specific commercial and technical practices​

Investigators will probe behaviours and contractual terms that raise switching costs or favour incumbents:

• Egress fees and portability friction — charges and technical obstacles that make leaving a cloud provider costly or slow.
• Licensing and bundling — whether bundled licensing or preferential pricing makes it cheaper (or operationally simpler) to run workloads on the provider’s own cloud than on rivals’ platforms.
• Self‑preferencing and marketplace bias — whether first‑party managed services or marketplace placements get treatment (performance, pricing or visibility) that disadvantages third‑party software.
• Interoperability and proprietary control‑plane primitives — absence of standard APIs or proprietary runtime features that lock workloads to a particular stack.

3. The DMA’s suitability for cloud​

The Commission’s third probe is explicitly methodological: it will test whether obligations designed for consumer platforms can be usefully adapted to enterprise infrastructure, or whether alternative competition and sectoral tools are more appropriate. This is a live, technical question: how do you measure “active users” or “end‑user reach” for IaaS; what does “interoperability” mean for cloud control‑plane semantics and performance‑sensitive workloads? The Commission is seeking to answer those mapping challenges before deciding on substantive remedies.

---

Why now: converging technological and political drivers​

Three forces have converged to bring cloud into Brussels’ crosshairs.

• Market concentration: Independent trackers and national authorities have repeatedly documented that a small number of hyperscalers account for the lion’s share of public‑cloud spending in many jurisdictions. The UK’s Competition and Markets Authority (CMA) and other national reviews have flagged structural barriers and high market shares that prompted further examination.
• Systemic outages and resilience concerns: A series of high‑impact outages affecting DNS, edge fabrics and managed control‑plane services demonstrated how a single misconfiguration or control‑plane failure can cascade across many services and sectors. Regulators see concentration not only as a competition problem but as a resilience risk. Those operational incidents materially influenced the urgency of the EU’s intervention.
• AI‑era compute and vendor lock‑in: Generative AI workloads need specialized hardware, integrated stacks and often managed AI platforms. Those capabilities are expensive to replicate and easy to bundle with proprietary value‑added services, making technological lock‑in more severe in the AI era. Regulators are worried that AI will accelerate entrenchment if left unchecked.

Taken together, those pressures create a political environment in which regulators are prepared to test the bounds of ex‑ante remedies rather than rely solely on ex‑post antitrust enforcement.

---

How the DMA could change cloud markets — practical remedies on the table​

If the Commission concludes that DMA‑style obligations are applicable, the toolbox includes several high‑impact interventions:

• Mandated interoperability and standard APIs: Forcing non‑discrimination in access to essential control‑plane functions and standardized interfaces for identity, routing, storage formats and orchestration primitives. This would reduce technical lock‑in but requires precise, technical standards to avoid operational breakage.
• Limits on self‑preferencing and bundling: Bans or constraints on practices that give platform‑owned managed services preferential treatment in marketplaces, pricing or console UX. That could open opportunities for independent ISVs and competing managed services.
• Data portability and egress reforms: Rules to cap or standardize egress pricing and to mandate audit‑grade migration tooling with measurable performance or time‑to‑export guarantees. This is a direct policy lever to reduce “exit tolls.”
• Transparency, audits and reporting obligations: Requirements for objective metrics on resource allocation, traffic shaping, and ranking of marketplace offerings, backed by independent audits and possible fines for non‑compliance under the DMA enforcement regime.

These remedies would be powerful: gatekeeper breaches under the DMA carry fines of up to 10% of global turnover for first breaches and up to 20% for repeat breaches. But translating these measures to cloud requires technical precision and careful rule‑making.

---

Legal, technical and economic complexity — why the mapping is hard​

The DMA was drafted around a class of consumer and business‑facing core platform services where metrics like monthly active end users and EU revenue are straightforward to measure. Cloud infrastructure does not fit those simple gauges:

• Metrics mismatch: Cloud is sold through contracts, reserved capacity purchases and enterprise procurement channels. Counting “users” or measuring “end‑user reach” is not straightforward. This complicates both designation and the calibration of obligations.
• Technical granularity: Cloud control planes, APIs, telemetry and performance SLAs are deeply technical. Designing enforceable interoperability standards requires expertise and can be operationally invasive. Regulators will need domain experts and sustained technical engagement to write credible, enforceable obligations.
• Investment trade‑offs: Hyperscalers argue that scale buys resilience, security and continuous innovation. Heavy‑handed ex‑ante rules could change investment incentives, possibly slowing the rollout of new data centres or specialized compute essential for Europe’s AI ambitions. Policymakers must weigh contestability against the need to incentivize capital‑intensive infrastructure.
• Risk of fragmentation: Mandating region‑specific control‑plane changes or data‑localization rules could fragment global operational models, raising costs and potentially reducing the global threat intelligence flows that underpin resilience.

These are not theoretical objections: they are practical constraints that make a one‑size‑fits‑all DMA extension to cloud both legally and technically fraught.

---

Likely scenarios and a practical timeline​

The Commission has set an approximate 12‑month window for the inquiries, suggesting the EU intends to move from fact‑gathering to policy options comparatively quickly. Possible outcomes include:

1. A finding that specific cloud offerings meet gatekeeper criteria and the imposition of tailored DMA obligations on those services.
2. A decision that the DMA’s current toolkit is not a good fit for cloud, prompting the Commission to pursue targeted remedies under competition law or to combine DMA‑style obligations with sectoral acts (e.g., Data Act, AI Act) or new cloud‑specific legislation.
3. A middle path: non‑designation but with negotiated undertakings or mandatory commitments addressing clear frictions (egress, portability, audits) without formal gatekeeper tagging.

The Commission’s third, horizontal probe is pivotal: if it concludes that DMA instruments can be credibly adapted, the regulatory baseline will shift more dramatically; if not, regulators may opt for narrower, targeted interventions.

---

What this means for enterprises and procurement teams​

The regulatory development itself shifts the procurement risk profile. Organizations should act now to reduce exposure and preserve options:

• Map critical dependencies: Catalog which workloads rely on proprietary managed services (databases, edge fabrics, specialized AI stacks) and estimate the realistic cost and time to migrate them.
• Harden contractual exit terms: Negotiate capped egress fees, strict data‑export SLAs, and explicit audit and attestation rights for residency and key management. Demand contractual remedies tied to measurable portability outcomes.
• Adopt portability patterns: Favor containerization, standardized orchestration, and abstraction layers that limit lock‑in for critical workloads. Where proprietary services are used, encapsulate them to reduce migration friction.
• Insist on customer‑controlled keys: Bring‑your‑own‑key (BYOK) models and external key management reduce vendor access to data and can make migrations more secure and practical.
• Test runbooks: Operationally validate migration runbooks and multi‑region failovers so exit options are not merely contractual promises but operationally achievable processes.

These are defensive steps that lower regulatory and vendor‑induced risk regardless of the Commission’s final outcome.

---

Political and international dimensions​

Bringing cloud under DMA‑style rules has significant geopolitical implications. European policymakers emphasize digital sovereignty and resilience; however, aggressive EU action risks transatlantic friction and could spur reciprocal measures or retaliatory trade concerns. US‑based hyperscalers and industry groups have warned that poorly calibrated rules could disadvantage European buyers by increasing costs or reducing service choice. The Commission must balance strategic autonomy with the practicalities of global cloud markets and maintain coordination with partners such as the UK and the US where possible.
The UK’s CMA and other national authorities have already contributed evidence and precedent for EU action. Those national inquiries helped crystallize the concerns that now shape Brussels’ investigation.

---

Independent perspectives, strengths and risks​

Strengths of intervention​

• Proactive mitigation of lock‑in: Early, ex‑ante remedies could prevent AI‑era lock‑in before it becomes irreversible.
• Resilience gains: More interoperable control planes and portability tools would reduce systemic fragility from single‑provider failures.
• Level playing field for ISVs: Limiting self‑preferencing fosters a more competitive market for managed services and marketplaces.

Risks and unintended consequences​

• Fragmentation and costs: Heavy obligations, especially if poorly specified, risk fragmenting global operations and raising prices for European customers.
• Investment chill: Ex‑ante constraints could reduce incentives to invest in new data centres or specialized compute needed for AI.
• Enforcement complexity: Monitoring control‑plane behaviour and enforcing technical obligations requires sustained, specialist capability inside regulators. That raises the bar for practical, credible enforcement.

Some claims in early reporting rely on anonymous sources and traditions of scoop journalism; where reporting depends on single, unnamed briefings (for example initial wire claims attributed to Bloomberg), those points should be treated with caution until corroborated by formal Commission notices.

---

What hyperscalers say — immediate reactions​

Hyperscalers defend their practices as necessary to deliver global reach, security and innovation. Public statements indicate a willingness to cooperate with the Commission’s inquiry while contesting the premise that scale equals anti‑competitive conduct. Microsoft has signalled cooperation with the probe; AWS and other providers argue that scale produces customer benefits and that competition is dynamic. Expect vigorous engagement from industry through consultations, technical workshops and legal challenges if the DMA is pushed into cloud.

---

Strategic implications for Windows users and enterprise architects​

For organizations that build on Microsoft technologies, the inquiries raise particular points of focus. Microsoft’s licensing practices and integration between Office, Windows Server and Azure have been specifically flagged in prior regulatory work as potential sources of lock‑in. Any regulatory outcome that constrains preferential licensing or tight coupling could alter total cost of ownership calculations and improve portability for Windows‑centric workloads. Conversely, a regulatory misstep that discourages investment in Azure‑specific optimization (for example performance or security features) could slow advances that currently benefit enterprise Windows customers. Enterprises should therefore both plan for greater portability and monitor how legal decisions reshape vendor roadmaps.

---

Conclusion​

The European Commission’s decision to open market investigations into AWS and Microsoft Azure under the DMA—and to run a parallel probe into the DMA’s suitability for cloud—represents a watershed moment for cloud governance. Regulators are confronting a hard truth: cloud is infrastructure, policy and geopolitics rolled into one. The Commission’s inquiries could produce tangible benefits—greater portability, reduced lock‑in and stronger resilience—but they also risk fragmentation, higher costs and complex enforcement battles if they are not carefully calibrated.
For IT leaders, the prudent response is clear and immediate: assume the regulatory baseline will shift, but that outcomes are uncertain. Strengthen contractual exit rights, design for portability, operationally test migrations and demand stronger audit and key control rights today. For policymakers, the task is to craft narrowly targeted, technically precise remedies that fix demonstrable harms without undermining the very scale and investment that deliver cloud’s security and performance benefits.
The next 12 months will be decisive. Expect intense technical engagement, detailed evidence submissions, and a possible reshaping of how Europe—and by extension the global market—governs the clouds that now underpin modern computing.

---

Source: MLex EU opens probes into Microsoft, AWS for possible 'gatekeeper' designation | MLex | Specialist news and analysis on legal risk and regulation