EU Opens Cloud Probes into AWS and Azure Under DMA Framework

The European Commission has opened three market investigations focused on the cloud: separate, company‑specific probes into Amazon Web Services (AWS) and Microsoft Azure, plus a horizontal review to assess whether the Digital Markets Act (DMA) is fit for purpose in the face of cloud‑specific competition, interoperability and resilience issues. This is a consequential escalation in Brussels’ push to bring dominant digital infrastructure under the same rigorous guardrails already applied to consumer‑facing platforms, and it could reshape commercial cloud contracts, data portability, interoperability and the cost calculus for European enterprises and cloud customers worldwide.

Background​

The DMA was designed to curb entrenched platform power by naming and regulating so‑called “gatekeepers” — large digital platforms that act as pivotal intermediaries between businesses and consumers. Traditionally the DMA’s designation relied on clear quantitative thresholds (user numbers, market reach and turnover) that fit consumer apps and marketplaces, not complex infrastructure offerings such as public cloud services.
In recent months the Commission signalled that cloud infrastructure has crossed from a niche infrastructure debate to a systemic competition and sovereignty concern. The new inquiries do two things at once: they test whether AWS and Azure functionally operate as “gatekeepers” for cloud services, and they test whether the DMA’s existing toolkit can address cloud‑specific frictions such as proprietary APIs, egress charges, opaque contractual clauses and systemic resilience risks that concentrate power and raise switching costs.

---

What the investigations cover​

Company‑specific market investigations​

• One probe focuses on Amazon Web Services (AWS).
• Another probe focuses on Microsoft Azure.

Both investigations will examine whether these cloud providers, regardless of whether they meet the DMA’s numeric thresholds, in practice act as critical gateways that can influence market access, interoperability and competitive conditions in the cloud ecosystem.

Horizontal assessment of the DMA​

A third, horizontal investigation will review whether the DMA’s current obligations and enforcement mechanisms are adequate to tackle cloud‑specific practices that may reduce contestability or harm customers. This is important because the DMA was conceived principally for consumer platforms and may need technical tweaks to cover infrastructure and B2B gatekeeping dynamics.

Scope and timeline​

The Commission’s procedure is bounded by statutory timetables for market investigations: the company‑level investigations are expected to run for up to 12 months, and a fuller reporting and decision window for related DMA updates or recommendations could extend timelines to roughly 18 months. These timelines set a practical clock for affected businesses, customers and national authorities to respond, contribute evidence and prepare for potential regulatory changes.

---

Legal framework and enforcement mechanics​

How the DMA works in practice​

The DMA imposes ex ante behavioural obligations on designated gatekeepers — companies that the Commission determines hold entrenched, durable market power in “core platform services.” Gatekeeper obligations are prescriptive and proactive (for example, rules against self‑preferencing; requirements on interoperability, data portability and fair access). Non‑compliance can draw severe sanctions.
Key enforcement mechanics to keep in mind:

• The Commission can designate services as gatekeepers even where numeric thresholds are not fully met if the service demonstrably functions as a critical gateway.
• Designated gatekeepers must comply with a tailored set of rules meant to preserve contestability.
• Sanctions for non‑compliance can be substantial: fines may reach up to 10% of worldwide annual turnover for a material breach, and can rise for repeated or systematic breaches; periodic penalty payments and structural or behavioural remedies are also possible.

Penalties and remedies​

The DMA creates a graduated enforcement regime:

• Monetary penalties for non‑compliance can be significant (with maximums designed to deter large firms).
• Repeated or systematic breaches may attract higher fines and, in extremis, remedial measures that go beyond fines, including behavioural orders or structural remedies.
• The Commission can impose periodic penalty payments to force compliance with injunctions or remediation timetables.

This enforcement architecture means that a gatekeeper designation is not merely a compliance checkbox: it triggers a new operational environment with legal, technical and governance consequences.

---

Why Brussels moved on cloud now​

Three interlocking drivers explain the timing and force of this move.

1) Market concentration and scale advantages​

Public cloud revenue and workloads remain concentrated among a small number of U.S. incumbents. That concentration creates network effects, scale advantages and a high degree of technical lock‑in — all classic competition concerns. For European customers, concentration has multiple practical consequences: pricing power, preferential treatment for native services, and economic barriers to switching.

2) Switching friction and proprietary lock‑in​

Cloud vendors own the APIs, tooling, and in many cases the integrated runtime stacks used by customers. That means migration is not simply a matter of transferring bits; it often requires re‑architecting applications, retraining teams, negotiating complex licensing transitions and accepting potential downtime or degraded performance. Contractual terms — notably egress fees, licensing constraints and operational dependencies — further raise the cost of movement between clouds.

3) Resilience, outages and strategic tech policy (AI)​

High‑impact outages over the previous year revealed systemic fragilities and a deep concentration of critical workloads. Simultaneously, the acceleration of AI workloads — demanding specialized hardware, vertically integrated software stacks and data ecosystems — has intensified the strategic value of controlling infrastructure and platform capabilities. For European policymakers, the cloud is not just a competition question but an industrial policy and resilience issue tied to digital sovereignty.

---

What AWS and Microsoft have said (corporate posture)​

Both companies have pushed back publicly on the premise that they operate as gatekeepers in the DMA sense. Their responses share a few consistent themes:

• The cloud sector is highly dynamic and competitive, offering customers broad choice and continual innovation.
• Designating cloud providers as gatekeepers risks stifling innovation and raising costs for business customers.
• They are ready to engage with the Commission and supply evidence showing the competitive nature of the market.

These are familiar arguments in regulatory confrontations: incumbents highlight competition on performance, pricing and feature velocity while warning that heavy‑handed regulation could lower incentives for investment. Whether those claims will persuade regulators who are focused on lock‑in mechanics and structural friction remains to be seen.

---

Potential outcomes and remedies the Commission could pursue​

The Commission’s options range from narrow to sweeping. Understanding the practical implications helps IT decision‑makers and partners model scenarios.

• No gatekeeper designation: The Commission could conclude that the DMA thresholds and qualitative factors do not apply to cloud services, choosing instead to pursue competition remedies through traditional antitrust investigations or sectoral initiatives.
• Gatekeeper designation for specific cloud services: If AWS or Azure are designated for their cloud services, the companies would face prescribed obligations — likely covering interoperability, portability, non‑discriminatory access to APIs and marketplaces, and clearer contract terms for business customers.
• DMA rule updates: The horizontal probe could lead the Commission to recommend or draft DMA amendments or complementary guidance clarifying how gatekeeper concepts apply to cloud infrastructure.
• Remedies beyond DMA: In the event of systematic non‑compliance or structural concerns, the Commission could seek behavioural remedies (e.g., banning certain bundling practices) or, in the most extreme cases, structural remedies after extended market investigations.

Each scenario carries different implementation timelines and technical consequences for customers and partners.

---

Technical issues under scrutiny (what engineers and architects should watch)​

If regulators press on the cloud gatekeeper concept, several technical domains will come under the microscope.

• APIs and proprietary extensions: Regulators will scrutinize whether vendors make migration impractical by layering proprietary APIs and extensions that create lock‑in.
• Data portability and egress: Egress processes, costs and technical obstacles will be evaluated to determine whether customers can move data and workloads without punitive friction.
• Interoperability and open standards: Expectations for open, well‑documented standards and compatibility layers may increase, with pressure on vendors to support cross‑cloud orchestration and data exchange.
• Marketplace and managed service preferences: The extent to which cloud providers prefer their own managed services and marketplace offerings over third‑party equivalents will be a focal point.
• Service level transparency: Clarity around SLAs, incident responses and failure modes will matter, especially where outages have systemic impacts.
• AI stack dependencies: Access to specialized accelerators, pre‑trained models and vertically integrated AI tooling might be treated as competitive chokepoints.

For engineers, the upshot is that legal pressure may translate into new technical requirements: standardized APIs, migration toolsets, clearer billing and export utilities, and stronger contractual right‑to‑port mechanisms.

---

Practical implications for enterprises and ISVs​

For enterprise IT buyers​

Enterprises should treat the investigations as a signal rather than a crisis. Still, prudent risk management justifies immediate, low‑cost steps:

• Audit cloud dependencies: Map workloads, dependencies on proprietary APIs, and data gravity points that complicate migration.
• Negotiate migration clauses: Renegotiate contracts to secure migration assistance, escrow arrangements, or capped egress fees where possible.
• Build portability into new projects: Choose containerized, cloud‑agnostic architectures where feasible and rely on open standards.
• Add resilience and multi‑cloud plans where it makes sense: For critical services, consider multi‑region or multi‑provider fallbacks to reduce systemic risk.

For independent software vendors and system integrators​

ISVs and integrators should lean into portability and tooling that reduces vendor lock‑in as a market differentiator. Offering migration tools, abstraction layers and robust multi‑cloud deployment pipelines will likely increase in value if regulators press for portability and interoperability.

For cloud native startups​

Smaller cloud customers and startups may see both risks and opportunities. On one hand, vendor constraints could complicate rapid prototyping on a single provider. On the other, greater regulatory pressure to lower switching costs could create room for competitive offerings and specialised managed services.

---

Strategic risks and potential benefits​

Risks​

• Regulatory uncertainty: Pending investigations create an uncertain planning horizon. Enterprises must hedge without overreacting to speculative outcomes.
• Compliance and cost: If DMA obligations are applied to cloud providers, compliance costs may pass through to customers, at least in the short term.
• Fragmentation risk: Divergent national or EU‑level rules could complicate global cloud operations and increase compliance overhead for multinational firms.

Benefits​

• Lower switching friction: Successful regulatory interventions could reduce lock‑in, lower migration costs and foster competition on features, pricing and customer service.
• Stronger interoperability: Mandated or encouraged standards would make multi‑cloud operations easier and reduce vendor‑specific technical debt.
• Resilience and sovereignty gains: Clarifying the strategic role of cloud infrastructure can pay dividends in systemic resilience and Europe’s digital autonomy ambitions.

---

Political and geopolitical context​

Cloud regulation does not occur in a vacuum. The EU’s move intersects with broader transatlantic economic and political relations. Tensions sometimes arise when EU enforcement targets major U.S. tech firms, and political pushback can shape both rhetoric and diplomatic friction. At the same time, EU policymakers are motivated by a blend of competition policy, industrial strategy and data governance priorities — particularly as AI, critical infrastructure and national security considerations converge.
This investigation is therefore as much about market functioning as it is about strategic positioning: the EU seeks to preserve competitive markets while reinforcing its capacity to set rules for essential digital infrastructure.

---

What to watch next (milestones and indicators)​

• Formal statements and responses from AWS and Microsoft: Expect detailed evidence submissions and public briefings that frame market structure data and customer choice metrics.
• Requests for information (RFIs): The Commission will likely issue RFIs to customers, competitors and national authorities; organisations asked to contribute should prepare structured factual replies.
• National authorities and cooperation: Member State regulators and competition authorities may participate; cross‑jurisdiction coordination will be informative about possible remedies.
• Interim technical guidance: The Commission or its technical advisors might publish guidelines or stakeholder papers that reveal enforcement thinking.
• Potential DMA updates: Watch for proposals to amend or supplement the DMA to better capture infrastructure markets if the horizontal probe identifies gaps.

These milestones will shape the practical and legal contours of any eventual decisions.

---

Preparation checklist for IT leaders (practical steps)​

• Inventory and map dependencies: Catalogue which applications rely on managed services, proprietary APIs, or specialized hardware provided by a single cloud provider.
• Estimate migration costs: Create ballpark budgets for moving core workloads, including refactoring, staff training and testing.
• Strengthen contractual positions: Seek clearer language on data export, egress fees, transitional support and SLA commitments.
• Adopt portable architectures: Prioritise containerization, orchestration (Kubernetes), and infrastructure‑as‑code to reduce switching friction on new projects.
• Engage legal and procurement: Align procurement, legal and technical teams to prepare evidence and comments in case RFIs reach your organisation.
• Monitor policy windows: Assign an internal lead to track regulatory developments and coordinate responses across business units.

These measures are low friction but high value: they reduce exposure to vendor lock‑in while improving operational resilience.

---

Analytical take: strengths and blind spots of the Commission’s approach​

Strengths​

• Principled focus on structural contestability: The Commission is right to treat cloud as strategic infrastructure where contestability drives innovation, resilience and choice.
• Flexible legal pathway: Using the DMA’s qualitative route allows the Commission to account for cloud realities that numeric thresholds do not capture.
• Alignment with resilience and AI strategy: Bringing cloud under closer scrutiny dovetails with wider EU goals on digital sovereignty and safe AI deployment.

Blind spots and risks​

• Regulatory overreach vs. innovation: Overbroad obligations could unintentionally blunt the incentives for large‑scale investment in specialized infrastructure (e.g., accelerators for AI), raising costs for European customers.
• Implementation complexity: Forcing technical interoperability or mandating open substitutes for proprietary stacks is non‑trivial and could fragment ecosystems if handled clumsily.
• Pass‑through costs and unintended winners: Compliance costs could be passed to customers, and regulation could benefit certain vendors (e.g., local or regional providers) unevenly, with collateral market distortions.
• Enforcement jurisdictional frictions: Global cloud providers operate across many legal regimes; resulting patchwork enforcement could complicate global operations and raise legal uncertainty.

The Commission faces a classic balancing act: preserve contestability and customer rights without throttling the investment and integrated innovation that define modern cloud platforms.

---

Conclusion​

Brussels’ decision to open targeted investigations into AWS and Microsoft Azure marks a material inflection point in cloud regulation. The move signals that the Commission is prepared to test the DMA’s reach beyond consumer platforms and into the infrastructure layer that underpins contemporary digital economies and emerging AI ecosystems. The implications are broad: they include potential technical mandates around interoperability and data portability, legal obligations that change vendor governance models, and strategic shifts in how European enterprises and governments approach cloud sourcing and resilience.
For IT leaders, the immediate imperative is pragmatic preparedness: map dependencies, shore up contractual protections, and prioritise portability in new workloads. For policymakers and technologists, the task is harder — design rules that protect contestability and resilience while preserving the incentives that drive cloud innovation. The next 12–18 months will be decisive: regulatory letters, stakeholder consultations and technical reports will crystallise the envelope of possible remedies. Whatever the final outcome, one certainty is clear: cloud governance has moved from the margins to the center of digital policy, and organizations that adapt early will find themselves better placed to manage risk and seize opportunity.

---

Source: Channelweb https://www.channelweb.co.uk/news/2025/european-commission-amazon-microsoft-cloud-investigation/