EU DMA Scrutiny on AWS and Azure: Impacts for Cloud and Compliance

The European Commission has opened formal market scrutiny into whether Amazon Web Services (AWS) and Microsoft Azure should be treated as regulated “gatekeepers” under the Digital Markets Act (DMA), raising the prospect that the two dominant hyperscalers could face new interoperability, data-access and anti‑self‑preferencing obligations — and penalties of up to 10% of global turnover for non‑compliance.

Background / Overview​

Cloud infrastructure sits at the heart of modern digital services: everything from streaming and banking to AI training runs on contractors’ fleets of servers, storage arrays and networking fabric. The DMA, the EU’s flagship competition instrument for Big Tech, defines a set of core platform services and creates a special legal status — gatekeeper — for firms that are so pivotal they can distort contestability in markets. Gatekeepers must follow a catalogue of obligations designed to protect business users and end users; failing to comply risks heavy fines and remedial powers. The recent action from Brussels is notable because cloud services do not map neatly onto the DMA’s original, quantitative thresholds (annual EEA turnover and minimum EU user / business user counts). Rather than relying solely on numerical tests, the Commission is using the DMA’s market‑investigation powers to ask whether AWS and Azure nonetheless act as “important gateways between businesses and consumers” — a qualitative test that can yield a gatekeeper designation even when strict thresholds are not met. The Commission has used that same mechanism previously to assess services that fell outside the simple threshold calculations.

---

What Brussels has opened and why it matters​

What the Commission is looking at​

The market inquiry aims to establish whether Amazon Web Services and Microsoft Azure:

• function as indispensable intermediaries for businesses and end users in ways that give them entrenched market power;
• create technical, contractual or commercial lock‑in that hampers switching or multi‑cloud strategies;
• engage in conduct that could be addressed by the DMA’s do’s-and-don’ts (interoperability, non‑discrimination, data access, etc..

These investigations are not immediate enforcement actions; they are fact‑finding processes that can lead to designating a new gatekeeper service (under the DMA’s Article 3(8) pathway) or to tailor-made remedies if systemic issues are uncovered. The Commission can take up to 12 months for investigations that rely on the qualitative designation route.

If designated, what changes for AWS and Azure​

Designation as a DMA gatekeeper carries real operational consequences. The core obligations most likely to be relevant to cloud providers include:

• Interoperability: allowing third‑party services to interoperate with gatekeeper functions where feasible;
• Data access: enabling business users to access the data they generate on the platform and preventing unfair capture of business user data by the gatekeeper for self‑preferencing;
• Non‑preferencing: prohibiting the gatekeeper from treating its own cloud‑adjacent services more favorably in rankings or procurement contexts;
• Transparency and auditing: obligations to explain automatic decision systems and to publish compliance reports.

Non‑compliance can trigger fines up to 10% of worldwide turnover, escalating to 20% for repeated breaches; for systematic failure the Commission can order structural remedies. Those instruments make the DMA an unusually heavy‑duty toolbox.

---

Why the EU is moving on cloud now​

The cloud is no longer a back‑office utility — it is strategic infrastructure​

Cloud platforms are now the default infrastructure for AI, high‑scale analytics and large SaaS deployments. The EU’s stated policy aim is to secure a fair, open and competitive cloud ecosystem that supports European AI ambitions and digital sovereignty. The Commission has signalled concern that a small set of hyperscalers control access to critical computing and data resources that underpin emergent markets. This strategic framing underpins the present market investigations.

Parallel probes and political pressure​

Regulators and lawmakers across jurisdictions have been scrutinising cloud concentration for some time. The UK’s Competition and Markets Authority (CMA) published provisional findings in its cloud market inquiry concluding that AWS and Microsoft hold very strong positions with high levels of concentration and barriers to entry, and proposed designating them with the UK’s Strategic Market Status in the most serious scenarios. Those UK findings sharpen the context for EU action and show a broader regulatory appetite to address cloud concentration. At the same time, U.S. authorities have been asking questions about cloud pricing and licensing practices: the Federal Trade Commission and U.S. legislators have flagged egress fees, bundling and exclusive arrangements as potential competition problems. That transatlantic scrutiny adds momentum to Europe’s assessment and raises geopolitical stakes.

---

What the UK CMA and other investigations found — and why that matters to Brussels​

The CMA’s provisional report (publicised January 2025) found that:

• AWS and Microsoft may each command up to roughly 40–50% and 30–40% shares in IaaS markets respectively, depending on segmentation;
• technical and commercial switching costs, including proprietary services, egress charges and licensing terms, materially reduce multi‑cloud mobility;
• barriers to entry (very large capital expenditure and scope economies) make it difficult for challengers to scale.

Those findings support the European Commission’s interest: even if cloud incumbents don’t fit the DMA’s numeric gatekeeper thresholds, their market behaviour could create similar competitive bottlenecks. The CMA has proposed remedies aimed at egress fees, interoperability and discriminatory licensing. EU authorities will be watching closely for convergent evidence.

---

Industry response and immediate reactions​

AWS and Microsoft have pushed back publicly. Amazon Web Services argued that the cloud sector is dynamic and highly competitive, warning that designating cloud providers as gatekeepers risks stifling innovation and raising costs for European firms. Microsoft likewise emphasised competition and said it was ready to engage constructively in the market inquiry. Those statements mirror previous responses when regulators probed cloud markets. The industry objections raise two recurring claims:

• that market concentration is a feature of superior product offering and scale efficiencies, not necessarily anti‑competitive conduct; and
• that heavy‑handed rules could raise compliance costs, slow product rollouts, and deter investment in Europe.

Both arguments have resonance; they are central to the policy trade‑offs regulators must weigh. Independent academic and industry analyses caution regulators not to confuse high investment returns with durable anticompetitive foreclosure, while competition authorities point to the real costs and security implications of lock‑in.

---

Technical and legal complexity — why this is harder than designating an app store or search engine​

Cloud infrastructure differs from consumer services in ways that complicate DMA application:

• Who is the “end user”? For cloud IaaS and PaaS the primary customers are businesses (Netflix, banks, SaaS vendors), raising questions about whether the DMA’s “business user” vs “end user” distinctions apply the way they do for app stores. The DMA and guidance leave important definitional questions that regulators must answer when applying gatekeeper rules to cloud.
• Technical switching costs are real and heterogenous. Moving large datasets and stateful workloads between providers entails porting, revalidation and often architectural redesign. That isn’t a mere marketing friction — it has engineering and compliance costs that can justify some fees. Regulators must sort legitimate product design from anti‑competitive hurdles.
• Security and confidentiality constraints. The DMA’s data‑access obligations could raise operational security and confidentiality trade‑offs if poorly scoped. Regulators must weigh data‑sharing goals against real risks of exposing sensitive topology and customer relationships. Policy analyses emphasise those trade‑offs and urge careful calibration.

Because of these complexities, the Commission is rightly approaching cloud via a market‑investigation route that allows technical evidence gathering and stakeholder input before any gatekeeper label is affixed.

---

What the DMA could require cloud gatekeepers to do — practical implications​

If AWS or Azure were designated as gatekeeper services for cloud computing, possible practical outcomes include:

• Lower switching friction: restraints on contractual egress fees, clearer portability standards, or mandated APIs to export data and state in common formats.
• Third‑party interoperability: enabling competing specialist services (databases, machine‑learning toolchains) to run seamlessly on or with the incumbent platforms without discriminatory treatment.
• Data governance guarantees: obligations to let business customers access telemetry and datasets they generated on the platform, reducing information asymmetries that can enable self‑preferencing.
• Prohibition on self‑preferencing: limits on bundling of proprietary managed services in ways that disadvantage rivals.

These measures could ease migration and competition but would impose implementation and compliance costs on providers and — depending on execution — could affect product roadmaps, price structures and contractual models. Regulators will have to weigh those trade‑offs and may design targeted rather than blanket remedies.

---

What to watch next — timeline, tests and likely legal flashpoints​

• Market investigation timeline. The Commission’s qualitative designation route can run up to 12 months; parallel non‑compliance or specification proceedings elsewhere may proceed on different timetables. Expect months of evidence gathering, stakeholder questionnaires and technical briefings.
• Key tests the Commission will apply:
• Does the cloud service create an important gateway for business users to reach end users?
• Are there entrenched switching costs (technical, contractual, security) that reduce contestability?
• Are there patterns of conduct (pricing, bundling, discrimination) that materially disadvantage competitors?
• Areas likely to generate legal fights:
• Definitions of “business user” and "end user" in IaaS/PaaS contexts;
• The scope and limits of data‑access obligations where confidentiality or national security are claimed;
• Remedies that could be framed as extraterritorial regulation of non‑EU companies.

Given the stakes, any designation is likely to face deep scrutiny in EU courts and prompt robust lobbying and political pressure on both sides of the Atlantic.

---

Risks and trade‑offs — a pragmatic assessment​

Strengths of the Commission’s move​

• Proactive competition oversight: Cloud underpins AI and digital economic activity; early scrutiny can prevent lock‑in that would later be far harder to reverse.
• Holistic regulatory fit: The DMA’s toolbox — interoperability, non‑preferencing, and data‑access duties — is well‑matched to many of the complaints about cloud gatekeepers.
• Signal effect: Investigations encourage market actors to adjust behaviour voluntarily, improving transparency and possibly lowering anti‑competitive practices without heavy remedies.

Potential risks and blind spots​

• Overreach or mis‑specification: Poorly designed obligations could harm innovation incentives, raise costs for downstream businesses and slow product rollouts in Europe.
• Fragmentation and fragmentation costs: Divergent remedies across the EU, UK and U.S. could increase compliance complexity for global suppliers and fragment cloud‑native product design.
• Trade and political backlash: U.S. policymakers and some business groups frame EU digital rules as protectionist or as non‑tariff trade barriers; regulatory escalation risks political friction and possible retaliatory measures.

Net assessment​

A balanced approach is essential. The Commission’s market inquiry is the right instrument to collect the granular technical evidence needed to avoid blunt remedies. Regulators must design narrowly tailored obligations that solve specific foreclosure problems — for example limiting abusive egress fees or requiring standardized export APIs — rather than imposing sweeping architectural mandates that could undermine efficiencies delivered by scale. Evidence‑based, proportionate remedies would maximise consumer and business value while reducing unintended harms.

---

Enterprise and vendor playbook: short‑term practical steps​

Companies that consume cloud services and cloud providers themselves should prepare for a landscape of increased regulatory scrutiny:

• For cloud customers:
• Conduct a rapid audit of data egress exposure and contractual exit terms.
• Increase multi‑cloud portability planning and document migration costs as evidence in regulatory consultations.
• Engage proactively in EU consultations and national inquiries to ensure factual record is robust.
• For cloud providers:
• Inventory technical interoperability options and document legitimate security constraints.
• Reconsider pricing/multiyear discount structures and egress policies to reduce regulatory friction.
• Expect to allocate legal, policy and engineering resources to respond to questionnaires and to participate in technical workshops.

These measures will help firms reduce their compliance exposure and to make credible arguments about what trade‑offs are necessary for security and performance.

---

Likely scenarios and strategic implications​

• No designation, targeted remedies: Commission finds competition problems but imposes narrow behavioural remedies (egress rules, interoperability APIs). This is the least disruptive outcome and favours incremental fixes.
• Gatekeeper designation for cloud services: AWS and/or Azure acquire DMA obligations for cloud; this would be the most consequential outcome, forcing systemic changes to how managed services are packaged and priced.
• Coordinated transatlantic policy response: EU action is mirrored by UK and targeted U.S. scrutiny (FTC, congressional inquiries), producing a patchwork of overlapping obligations that cloud vendors must reconcile.

Each scenario produces different competitive incentives. A designation could accelerate alternative cloud growth in Europe if combined with market opening measures, but it could also invite strategic responses from incumbents to shift product offerings or investment patterns globally.

---

Closing analysis — why this matters for WindowsForum readers​

The Commission’s inquiry is not an abstract regulatory tussle; it strikes at the plumbing of the modern internet and at the resource stack that Windows developers, enterprise architects and cloud‑native teams rely on. If the DMA is applied to cloud providers, the practical effects could include reduced vendor lock‑in, clearer portability guarantees, different pricing structures, and new compliance obligations for enterprise customers and ISVs. Conversely, poorly targeted interventions could raise costs, delay feature rollouts, or fragment the developer experience.
The path ahead will be technical, political and legal. Stakeholders should expect months of fact‑gathering, public consultations and industry testimony; any substantive changes are likely to unfold over a multi‑year horizon. For practitioners, the immediate priority is to document real switching costs, to strengthen multi‑cloud portability plans, and to follow regulatory inputs so that technical reality is central to policy outcomes.

---

Note on sourcing and a caution: mainstream reporting (including the Associated Press) confirms that the European Commission has opened an inquiry into AWS and Azure under the DMA framework; official Commission documents explain how the DMA’s gatekeeper designation and market‑investigation tools work. Some press pieces attribute specific quotes to Commission Vice‑President statements — a few of those attributions were not found in a Commission press release text during verification and should be treated as paraphrase or reporting of officials’ positions rather than verbatim Commission proclamations. Where possible this article relies on primary institutional texts (DMA guidance and Commission materials), the CMA’s published provisional findings on the UK cloud market, and major news reporting of the Commission’s action.

---

Source: theregister.com EU eyes AWS, Azure for gatekeeper tag in cloud clampdown