EU DMA Probes AWS and Azure as Cloud Gatekeepers

Brussels has published formal market investigations under the Digital Markets Act (DMA) targeting Amazon Web Services (AWS) and Microsoft Azure, a move that opens a 12‑month fact‑finding window into whether the two hyperscalers function as regulated “gatekeepers” for cloud computing services — and whether the DMA’s toolbox can be adapted to the technical realities of cloud infrastructure.

Background​

Cloud computing has evolved from a procurement commodity into a strategic backbone for governments, finance, healthcare and the AI stacks that now drive enterprise transformation. That evolution has concentrated market power in a handful of hyperscalers, and regulators across Europe have sharpened their focus on whether that concentration produces persistent lock‑in, resilience risks and commercially unfair practices.
The European Commission announced on 18 November 2025 that it had launched three coordinated market investigations under the DMA: two company‑specific probes into AWS and Microsoft Azure, and a horizontal sectoral study to test whether the DMA’s obligations are fit for cloud markets. The stated lines of inquiry include interoperability obstacles, data access for business users, tying and bundling of services, and potentially imbalanced contractual terms such as egress fees.

Why the DMA matters for cloud​

The DMA is an ex‑ante regulatory regime designed to impose mandatory obligations on platforms that perform an “important gateway” role between businesses and end users. While the DMA includes bright‑line quantitative thresholds (annual EU turnover, market capitalisation, monthly active end users and yearly business users), it also permits qualitative, evidence‑based market investigations to identify services that functionally act as gatekeepers even when numeric thresholds are not a neat fit. This qualitative route is the mechanism Brussels is now using for cloud. The specific numerical thresholds commonly cited in DMA designations — used as presumptions rather than absolute ceilings — include:

• EUR 7.5 billion EU turnover in each of the last three financial years (or EUR 75 billion market capitalisation) as a market‑size presumption;
• 45 million monthly EU end users and at least 10,000 yearly EU business users to indicate an “important gateway” service.

---

What Brussels actually did​

The three investigations: facts and procedural frame​

• Two company‑level market investigations: one each for Amazon Web Services and Microsoft Azure to determine whether those cloud offerings act as indispensable gateways between businesses and consumers and should be designated as DMA gatekeepers despite not necessarily meeting the DMA’s consumer-facing numeric thresholds.
• One horizontal sectoral probe: a cross‑market study of whether the DMA’s set of obligations can meaningfully address cloud‑specific competition and resilience problems, or whether tailored amendments / additional regulatory instruments are required.

The Commission’s public timetable aims to complete the company‑level fact‑finding within roughly 12 months, although the complexity of technical evidence and possible legal challenges can extend that timeline. The probes will gather contractual documents, pricing data, architectural diagrams, migration tooling metrics and stakeholder testimony.

What investigators will look for​

Investigators will focus on concrete, technical and contractual mechanics that produce switching costs or favour incumbents:

• Egress charges and portability friction that make moving terabytes or petabytes of data costly or operationally difficult.
• Proprietary control‑plane APIs and platform extensions that require substantial re‑engineering to migrate workloads.
• Licensing and pricing differentials that may make it cheaper or operationally simpler to run certain software on the incumbent cloud.
• Bundling and self‑preferencing where first‑party managed services receive preferential integration, placement or performance.
• Resilience exposures arising from operational concentration and high‑impact outages.

---

How the DMA’s mechanics map (and mis‑map) to cloud realities​

The DMA was drafted as a tool for consumer‑facing platforms (search, app stores, social networks, marketplaces). Applying those same prescriptive duties to cloud infrastructure raises immediate conceptual and enforcement challenges.

• Quantitative thresholds are blunt tools for B2B infrastructure. User counts and “monthly active user” metrics are poorly suited to IaaS/PaaS where the commercial relationship is contractual, capacity‑driven and workload‑specific. That is why the Commission explicitly invoked the DMA’s qualitative designation route (Article 3(8)‑style evidence) to assess cloud.
• Interoperability for clouds is technical and multi‑layered. Unlike a messaging app where interoperability can mean protocol bridges, cloud portability touches compute architectures, storage formats, networking constructs, accelerator drivers and performance SLAs. Mandating runtime interoperability could require standards that do not yet exist or would materially change product economics.
• Remedies risk trade‑offs between contestability and investment. Forcing open access to proprietary acceleration hardware or disruptive changes to cloud control planes could deter hyperscalers from investing in new regional capacity and specialised AI infrastructure — the very assets Europe is trying to scale. Policy design must balance contestability with incentives for investment.

These conceptual frictions are precisely what the Commission’s horizontal probe is designed to study.

---

Immediate reactions from the market​

Major industry outlets reported the Commission’s action within hours, and both hyperscalers issued guarded public responses. Microsoft indicated it would cooperate with the inquiry; AWS publicly warned that clumsy regulation risks harming innovation and increased costs. Independent reporting noted that national authorities — notably the UK Competition and Markets Authority (CMA) — had already flagged concentration and switching‑cost issues, which helped crystallise Brussels’ action. Investors and customers reacted fast: share‑price volatility followed the announcement for cloud‑heavy enterprises, while procurement teams started revising risk matrices and exit strategies. For many CIOs the practical message was immediate — revisit contractual escape hatches, clarify egress economics, and strengthen multi‑cloud portability plans.

---

Critical analysis: strengths and weaknesses of the Commission’s approach​

Notable strengths​

• Proactive, systemic framing. Treating cloud as strategic infrastructure — not just another market segment — aligns competition policy with resilience and digital‑sovereignty objectives. The DMA’s ex‑ante tools are fast, enabling regulators to impose corrective obligations before harm ossifies.
• Evidence‑driven, technical fact‑finding. The Commission’s plan to collect architectural diagrams, contracts and migration tooling metrics recognizes that legal conclusions in cloud markets must be anchored in technical reality.
• Flexibility via qualitative designation. The DMA’s Article 3(8) pathway permits Brussels to designate services that act as gateways even if they do not neatly meet the numeric thresholds, which is essential for B2B infrastructure markets.

Real risks and open questions​

• Enforceability and technical precision. Translating obligations like “interoperability” or “non‑discrimination” into enforceable technical requirements for cloud control planes, accelerators and managed services will be extremely complex. Audits would need to examine runtime behaviour across heterogeneous workloads and regions.
• Potential to chill investment. Overly prescriptive rules on hardware access, pricing algorithms or product design could discourage hyperscalers from building costly regional capacity or specialised AI accelerators in Europe.
• Fragmentation risk. If EU remedies diverge from those in other jurisdictions, cloud vendors could bifurcate product roadmaps — maintaining EU‑specific product variants — raising operational overheads for customers and vendors alike.
• Legal uncertainty and litigation. Qualitative designations are more contestable in court than objective thresholds. Expect protracted litigation that could stall remedies or produce narrow judicial interpretations.

---

What this means for Microsoft and Amazon​

For Microsoft Azure​

Microsoft faces scrutiny not just on cloud market share but on licensing dynamics — specifically, whether its licensing terms make it materially cheaper or simpler to run Microsoft workloads on Azure compared with rivals. Past regulatory work (including CMA findings) and ongoing litigation over licensing in the UK amplify the legal risk for Microsoft. Azure’s strategic moves on EU data residency and the firm’s EU‑focused products may be scrutinised both as mitigating steps and as potential sources of market leverage.

For Amazon Web Services​

AWS will face inquiry into its market power across a broad set of platform behaviours: marketplace placements for third‑party services, managed service tie‑ins, and pricing structures that potentially entrench incumbency. AWS’s sheer hosting footprint and ecosystem breadth make the factual record complex but potentially compelling for regulators seeking evidence of “indispensable” gateway roles. Both vendors will have to balance cooperation with the Commission against an instinct to limit information sharing that could create regulatory or commercial precedents.

---

International and geopolitical implications​

This action re‑frames cloud governance as a transatlantic regulatory battleground. U.S. government voices have previously warned that European interventions could disadvantage American firms; conversely, EU policymakers argue that safeguarding resilience, contestability and digital sovereignty justifies robust rules.
Practical consequences will ripple through global procurement and product design. If the EU adopts remedies that push for stronger portability, customers worldwide may benefit; if remedies are overly prescriptive or EU‑specific, vendors could create regionally differentiated products, raising costs and operational complexity.

---

Technical enforcement: an underappreciated challenge​

Designing technical compliance tests for cloud‑level obligations will demand novel capabilities:

• Runtime audits across distributed architectures, not just contractual audits. Regulators will need metrics that measure API behaviour, data‑path differences, or performance differentials in equivalent workloads.
• Standards and test suites for accelerator access, data egress rates and control‑plane parity to avoid subjective enforcement.
• Independent lab testing and reproducible benchmarks to resolve disputes over “preferential treatment” or degraded performance on rival deployments.

The EU probe’s horizontal strand should ideally yield a roadmap for technically precise standards — otherwise enforcement could devolve into expensive, uncertain litigation.

---

Practical checklist for IT leaders and procurement teams​

• Map dependencies. Inventory critical workloads, third‑party integrations, and data flows tied to each cloud provider.
• Strengthen exit clauses. Negotiate measurable egress pricing, data transfer SLAs and technical exit support (including verified migration tooling).
• Design for mobility. Where feasible, containerise, separate data and compute layers, and avoid proprietary orchestration features that create engineering lock‑in.
• Demand observability and audit access. Require transparency on incident root causes and access to logs and performance telemetry that facilitate post‑migration validation.
• Revisit licensing exposure. Assess software vendor licensing terms across cloud platforms; quantify the economic impact of licensing differentials.
• Stress‑test resilience. Run provider‑failure simulations and cross‑region redundancy tests for critical services.
• Engage with regulators. Public buyers and industry groups should submit evidence and technical notes to the Commission to help shape proportionate remedies.

---

Likely scenarios and their implications​

• Scenario 1 — No designation; targeted commitments: Brussels secures behavioural remedies (improved transparency, commitments on egress) without formal gatekeeper designation. This is the least disruptive path but may deliver limited structural change.
• Scenario 2 — Gatekeeper designation for cloud services: If evidence shows AWS or Azure function as indispensable gateways, formal DMA obligations would apply. Expect mandatory interoperability, non‑discrimination duties, audited compliance reporting and steep fines for breaches. This path is transformative and would materially shift cloud contracting, product design and vendor economics.
• Scenario 3 — DMA adaptation or bespoke cloud regime: The horizontal probe could recommend DMA tweaks or a sectoral regulatory regime tailored to cloud. This is the longest path but could produce technically calibrated remedies that balance contestability and investment incentives.

Each outcome has winners and losers: enterprises stand to gain portability and leverage; smaller cloud providers may win market access; hyperscalers will face compliance costs and possible product re‑engineering. The long‑run effect on European cloud capacity will depend critically on whether rules preserve investment incentives.

---

Cross‑checking the key legal and technical claims​

The Commission’s published press release confirms the three investigations and the central lines of inquiry: AWS and Azure, plus a sectoral probe into the DMA’s suitability for cloud. That public document is the definitive starting point for these factual claims. Independent news coverage from Reuters and Bloomberg corroborates the Commission’s posture and summarises the likely practical consequences and market reactions, underscoring that this is a coordinated, high‑stakes regulatory effort. Those independent reports align with the Commission’s framing and provide immediate market reaction context. Legal summaries from major law‑firms and policy outlets confirm the DMA thresholds and the availability of a qualitative designation route — crucial legal mechanics the Commission is now relying upon in the cloud context. These third‑party legal analyses confirm the DMA’s numeric presumptions and the Article 3(8) qualitative pathway the Commission may use for infrastructure services. Where reporting or commentary relies on anonymous briefings, those points should be treated as provisional until confirmed by published Commission notices or the companies’ public submissions. The Commission’s non‑confidential decisions and published statements will be the definitive record to follow.

---

Conclusion​

The European Commission’s decision to publish market investigations on AWS and Microsoft Azure under the Digital Markets Act is a defining moment for cloud governance. It recognises that cloud has become strategic infrastructure whose market dynamics spill over into resilience, competition and the emergent economics of AI.
The Commission’s approach — combining company‑specific probes with a horizontal study — is methodical and appropriately evidence‑driven, but the hard work will be technical. Translating high‑level DMA duties into enforceable, proportionate technical remedies for cloud control planes, specialised accelerators and complex contractual ecosystems will demand industry cooperation, standardisation work and careful calibration to avoid unintended harms to investment.
For IT leaders and procurement teams, the immediate steps are practical: map dependencies, harden portability, renegotiate exit and licensing terms, and demand stronger audit and incident transparency now. The next 12 months of the Commission’s investigations will shape cloud contracting, procurement and architecture decisions for years; what emerges will determine whether Europe secures more contestable cloud markets — without undermining the investment needed to build the very capacity it seeks to protect.

---

Source: MLex Amazon, Microsoft decisions on cloud scrutiny published by EU