EU DMA Probes AWS and Azure: Impact on Cloud and Enterprise IT

The European Commission has opened a high‑stakes set of market investigations that could bring Amazon Web Services (AWS) and Microsoft Azure within the EU’s toughest digital rulebook — the Digital Markets Act (DMA) — and, in doing so, reshape how hyperscale cloud platforms operate across Europe and how enterprises plan, contract and architect for the cloud.

Background / Overview​

Cloud infrastructure has evolved from a procurement choice into strategic digital plumbing. Public cloud platforms power banking systems, public-sector services, critical communications and the compute fabric for large‑scale AI training. That systemic role has drawn regulators’ attention: Brussels has launched two company‑specific market investigations — one for AWS and one for Microsoft Azure — plus a horizontal study to assess whether the DMA’s existing toolkit is fit to police competition and resilience in cloud markets. The DMA was drafted to impose ex‑ante obligations on a set of “gatekeepers” — digital services so pivotal they can distort competition. Its remedies include forced interoperability, restrictions on self‑preferencing, business‑user protections and heavy penalties for non‑compliance (fines of up to 10% of worldwide turnover, rising to 20% for repeated breaches). The Commission can also design behavioural or, in extreme cases, structural remedies following market investigations. This move follows sustained pressure from national authorities — notably the UK’s Competition and Markets Authority (CMA) — and a string of high‑profile outages and market signals that underline cloud concentration, switching frictions and the rise of AI‑driven infrastructure demands. The CMA’s provisional findings flagged that Microsoft and Amazon each hold substantial shares of UK cloud spending and identified practices (egress fees, licensing differences, bundling) that can create effective lock‑in for customers.

---

Why Brussels has turned the spotlight to cloud​

Cloud matters to competition authorities for several concrete reasons:

• Market concentration — A small set of hyperscalers (AWS, Microsoft Azure, Google Cloud) capture the majority of public IaaS/PaaS spending in many markets, creating scale advantages that can be self‑reinforcing.
• Lock‑in mechanisms — Commercial and technical frictions — such as egress charges, proprietary APIs, and licensing schemes that make it cheaper to run workloads on a provider’s own cloud — raise the cost of switching.
• Self‑preferencing and vertical integration — Hyperscalers increasingly offer managed services, developer tooling and marketplaces that sit atop their infrastructure, creating incentives to favour first‑party services.
• Systemic resilience and sovereignty — Large outages and the strategic importance of compute resources for AI and national services have made cloud concentration a public‑policy problem, not only a competition issue.

Taken together, these dynamics prompted the Commission to use the DMA’s market‑investigation route — a qualitative mechanism that can designate services as gatekeepers even when the DMA’s numeric thresholds do not cleanly apply to infrastructure offerings.

---

What the Commission is investigating — the nuts and bolts​

Three coordinated threads​

• Company‑specific market investigation into Amazon Web Services (AWS) to determine whether certain AWS offerings functionally act as DMA “gatekeeper” services.
• Company‑specific market investigation into Microsoft Azure on the same questions.
• A horizontal, sectoral study to assess whether the DMA’s existing rules and enforcement model are technically and legally appropriate for cloud infrastructure, or whether sector‑specific adaptations are required.

The Commission aims to complete the inquiries within roughly 12 months, though complex technical evidence and legal challenges can extend timelines in practice. These are fact‑finding procedures rather than immediate enforcement actions; they can, however, lead to designation and the imposition of obligations or tailored remedies.

Key topics in scope​

• Portability & egress fees: Are transfer costs and technical obstacles making migration prohibitively expensive for business users?
• Interoperability & APIs: Are proprietary control‑plane primitives or absent standard interfaces creating lock‑in?
• Pricing and licensing practices: Do differential licensing terms favour native usage on a provider’s own cloud (for example, Windows Server licensing economics)?
• Self‑preferencing & bundling: Are first‑party managed services or marketplace placements disadvantaging rivals or independent ISVs?
• Data access and portability for business users: Can customers access the data they generate and move it reliably to rivals?

---

What a “gatekeeper” designation would mean for cloud platforms and customers​

If AWS or Azure (or subsets of their services) are designated as gatekeepers in the cloud domain, several concrete obligations could follow:

• Non‑discrimination: First‑party services must not be unfairly favoured over third‑party equivalents.
• Interoperability obligations: Where technically feasible, gatekeepers may need to provide interfaces or technical hooks that enable rivals to interoperate with essential functions.
• Data‑access and portability guarantees: Business users would gain clearer rights to access and move their operational and billing data.
• Transparency and auditing: Requirements to explain automated systems, publish compliance reports and accept regulator audits.
• Heavy sanctions for non‑compliance: Fines can reach up to 10% of global turnover for first breaches, 20% for repeat infringements; periodic penalty payments are also possible.

For enterprise customers, the upside could include stronger portability guarantees and protections against self‑preferencing. The downside — noted repeatedly by cloud providers — is the risk of increased complexity, potential fragmentation of technical standards and higher operating costs that could be passed down to customers.

---

Independent verification and the evidence base​

The Commission’s initiative is widely reported and corroborated by multiple independent outlets and public bodies. Reuters and AP reported the opening of the DMA probes into AWS and Azure and the third horizontal study. The European Commission’s DMA documentation confirms the legal framework — including the 10% / 20% penalty structure and the existence of market‑investigation powers that can qualify services as gatekeepers beyond bright‑line thresholds. National findings add weight to Brussels’ concerns. The UK’s CMA published provisional findings that highlighted competition shortfalls in the cloud market and recommended further regulatory scrutiny of Amazon and Microsoft under the UK’s new digital markets powers; the CMA’s provisional report specifically cited licensing and switching friction as problematic. Taken together, these sources provide a multi‑jurisdictional and multi‑media corroboration of the Commission’s action and the core concerns motivating it.

---

What this means for enterprise IT teams and WindowsForum readers​

The practical implications for IT teams and architects are immediate and tactical:

• Map cloud dependencies now. Inventory workloads, identify services tethered to provider‑specific managed services (databases, identity, proprietary AI toolchains), and prioritise the highest‑risk lock‑in paths.
• Revisit contractual exit terms. Clarify egress pricing, snapshot and backup mechanics, and dispute/SLAs for portability. Negotiate defined exit tests and interoperability commitments where possible.
• Prioritise portability in design. Containerization, Kubernetes orchestration, and platform‑agnostic service layers make migration feasible and reduce re‑architecture risk.
• Adopt multi‑cloud and hybrid resilience patterns. For mission‑critical services, diversify placement to reduce systemic exposure to single‑provider outages, while balancing complexity and cost.
• Document competitive harm. If customers can show factual evidence of switching costs or discriminatory behaviour, that material may inform regulators and speed resolution.

Short‑term operational steps (ranked):

• Run a cloud dependency heatmap for top 50 business‑critical applications.
• Identify services with proprietary lock‑in (serverless frameworks, managed DB features, vendor‑specific AI accelerators).
• Negotiate contract clauses on egress and data extraction timelines.
• Test a controlled migration (proof‑of‑concept) to a secondary provider where feasible.

---

How cloud providers are likely to respond​

AWS and Microsoft have signalled cooperation with the Commission but warned against heavy‑handed remedies that could curb innovation and raise costs. Industry lobby and strategic responses will include:

• Legal and procedural challenges — Contesting the legal basis for applying DMA obligations to infrastructure, especially where numeric DMA thresholds were not designed for enterprise services.
• Offer targeted commitments — Proposing technical and contractual fixes (improved portability tools, clearer pricing) short of accepting gatekeeper designation.
• Economic arguments — Emphasising investment, jobs and the need for scale to deliver advanced AI hardware and global resilience.
• Political engagement — Lobbying national governments and using public communications to frame the case that prescriptive regulation risks chilling investment in European data centers.

For rivals and cloud‑native challengers, the Commission’s move creates an opportunity to press for remedies that reduce switching friction and create more level procurement conditions.

---

Strengths of the EU’s regulatory approach​

• Proactive systemic thinking: Treating cloud as a potential gateway recognizes that upstream infrastructure can shape competition across many downstream markets.
• Ex‑ante tools: The DMA’s preventive obligations can act faster than after‑the‑fact antitrust interventions, which often come too late to undo lock‑in.
• Protection for business users: Clearer portability and anti‑self‑preferencing rules could lower switching costs and spur competitive innovation.

---

Risks, trade‑offs and technical feasibility concerns​

• Misapplied obligations could break operational models. The DMA was written with consumer platforms in mind; mapping its duties onto low‑level infrastructure has non‑trivial technical and economic consequences that risk unintended disruption if not carefully tailored.
• Fragmentation risk: Mandated APIs or divergent national remedies could fragment standards, increasing integration burdens for multinational customers.
• Investment disincentives: Large‑scale cloud capacity and specialized AI accelerators require long‑lived capital investments; rules perceived as hostile could slow deployment in Europe.
• Compliance complexity for customers: If providers reprice or restructure offerings to offset compliance costs, small and medium enterprises may face higher bills.

These trade‑offs explain why the Commission’s horizontal study — assessing whether DMA tools need adaptation for cloud — is a critical element of the exercise. A one‑size‑fits‑all application risks technical impracticability and market distortion.

---

Scenarios to watch (12‑ to 36‑month horizon)​

• Scenario A — Targeted commitments, no designation. Providers offer technical and contractual fixes (reduced egress friction, clearer export tools) sufficient to avert gatekeeper designation. This is the least disruptive outcome but yields incremental rather than systemic change.
• Scenario B — Designation + tailored DMA obligations. One or both providers are designated for specific cloud services, with tailored interoperability and non‑discrimination obligations. Customers gain stronger portability rights but face a period of adjustment as providers implement changes.
• Scenario C — Deep remedies and structural measures. In the most extreme case of repeated or systemic breaches, structural remedies or divestments could be considered — an outcome that would reconfigure global cloud competition but carry high legal and economic costs.

Regulators elsewhere (UK, U.S. will watch Brussels closely. The CMA’s provisional findings and the EU probe create a coordinated transatlantic pressure environment that could yield aligned remedies — or regulatory divergence if jurisdictions disagree on the correct approach.

---

Critical analysis: what regulators must get right​

• Be precise and technically literate. Remedies must be specified at the interface level (APIs, data formats, billing records), with engineering test suites and transition timelines to avoid crippling operational realities.
• Avoid creating parallel, incompatible standards. Any mandated interoperability should be aligned with existing industry standards where possible and driven by cross‑industry technical groups.
• Use proportional remedies. Behavioral fixes (clearer contracts, non‑discrimination regimes, certified portability tools) should be the default; structural remedies must remain a last‑resort tool for demonstrated, irremediable harm.
• Protect investment incentives. Regulations should aim to lower anti‑competitive behaviours without punishing the scale and innovation that underpin cloud security and sophisticated managed services.

If Brussels balances these elements, outcomes could measurably improve contestability without undermining the performance and reliability enterprises expect from modern cloud platforms. If not, the risk is regulatory overreach that fragments markets and slows the deployment of advanced infrastructure in Europe.

---

What readers and procurement teams should do right now​

• Update cloud procurement playbooks to include regulatory‑contingency language.
• Require providers to supply export test data and time‑bound egress commitments in procurement contracts.
• Validate rescue/rollback strategies in production runbooks to improve resilience to provider outages.
• Track the Commission’s formal notices and participate in public consultations — credible, documented customer testimony matters in market investigations.

---

Closing assessment​

Brussels’ decision to probe AWS and Microsoft Azure under the DMA is a decisive escalation in the EU’s approach to digital competition policy. It recognises cloud infrastructure as a strategic input where concentration can have systemic consequences for competition, resilience and digital sovereignty. The probes are both an opportunity and a test: an opportunity to reduce lock‑in and protect business users, and a test of regulators’ ability to craft technically feasible, proportionate remedies that preserve incentives for large‑scale investment and innovation. For enterprises, the immediate imperative is practical preparedness: map dependencies, harden portability, tighten contract exit protections and adopt architectural patterns that reduce single‑provider risk. For policy‑makers and technical communities, the imperative is to translate high‑level obligations into precise, testable technical requirements that actually deliver portability, interoperability and non‑discrimination — without fragmenting the global cloud ecosystem.
The next 12 months will be consequential. The Commission’s investigations will collect evidence, hear industry and customer testimony, and potentially shape a new regulatory baseline for cloud services in Europe. How regulators, providers and customers respond will define whether cloud regulation becomes a lever for healthier competition — or an unintended brake on the very innovation and scale that underpin modern computing.

---

Source: Digital Journal Amazon, Microsoft cloud services could face tougher EU rules
Source: Business Recorder Amazon, Microsoft cloud services could face tougher EU rules