EU Opens DMA Probe on AWS and Azure Cloud Gatekeepers

The European Commission has launched a trio of market investigations that put Amazon Web Services and Microsoft Azure squarely in Brussels’ crosshairs, opening the possibility that the two dominant cloud providers could be treated as regulated “gatekeepers” under the bloc’s Digital Markets Act — with major implications for competition, cloud sovereignty and the economics of doing business in Europe.

Background​

The Digital Markets Act (DMA) is the EU’s flagship tool for policing the behaviour of the largest digital platforms. Designed to prevent a small number of tech companies from using platform control to squeeze rivals and lock in users, the DMA combines quantitative thresholds with qualitative tests to determine which services should be designated as gatekeepers. Gatekeeper status brings a strict set of ex ante obligations — from preventing self‑preferencing to enabling interoperability — and heavy enforcement powers for regulators, including fines that can reach double‑digit percentages of global turnover for serious breaches.
Cloud computing sits on the DMA’s list of potential “core platform services,” but hyperscale infrastructure providers have until now avoided formal gatekeeper designation for their cloud products. The European Commission’s newly opened market investigations will test whether AWS and Azure behave as important gateways between businesses and consumers in ways that justify bringing cloud services under the DMA’s regime, and whether the DMA itself needs targeted updates to address cloud‑specific competition issues.
The investigations encompass three threads:

• Two parallel fact‑finding probes to assess whether AWS and Microsoft Azure should be designated as DMA gatekeepers for their cloud services.
• A third market study to determine whether the DMA’s scope or obligations should be revised to address cloud‑specific practices that may undermine fairness and contestability.

The Commission says it aims to complete the inquiries within roughly one year — a timetable that would allow subsequent steps (including designation or rule‑changes) to follow under DMA enforcement procedures.

---

Why cloud, why now?​

Cloud concentration and market power​

Public cloud market concentration has been a persistent policy concern in Europe. The hyperscalers — led by AWS and Microsoft Azure, with Google Cloud trailing in third — together account for the lion’s share of global and European cloud infrastructure revenues. Multiple industry trackers show the top three controlling roughly two‑thirds (and in some public estimates up to ~70%) of the market across public IaaS/PaaS, with AWS and Azure consistently occupying the first and second slots.
That concentration matters for European governments and businesses because:

• A handful of providers host critical national and commercial data and workloads.
• High switching costs, proprietary service features and specialised enterprise integrations create practical barriers to migration.
• Many cutting‑edge AI workloads and data‑intensive services currently run on hyperscaler platforms, increasing lock‑in effects.

Recent outages and operational risk​

High‑profile service disruptions on AWS and Azure this year have sharpened scrutiny of cloud resilience and dependency. Extended outages have affected retail, banking, media and travel customers — from streaming and messaging apps to airline check‑in systems. These incidents have been widely reported and used by regulators and policymakers as concrete examples of the systemic risks when critical infrastructure is concentrated with a few providers.
Taken together, concentration plus visible outages has amplified political momentum in Brussels for assessing whether the DMA — originally designed with consumer‑facing platforms in mind — is fit to address the structural features of cloud computing.

---

What the investigation will look at​

Tests the Commission is likely to apply​

Although the DMA sets quantitative thresholds for gatekeeper designation (including turnover/market capitalization and user counts), the Commission also has the power to designate services as gatekeepers following market investigations even if the numeric tests are not met. In practice, the cloud probes will examine factors such as:

• Market intermediating role: Do AWS or Azure function as indispensable intermediaries between business users and their customers or other market players?
• Effects of network and platform integration: Are there structural practices (e.g., bundling, preferential treatment of in‑house services) that lock customers into a provider ecosystem?
• Switching costs and data portability: Are contractual, technical or pricing practices making it infeasible for business users to switch providers or run multicloud strategies effectively?
• Self‑preferencing and leveraging: Do the cloud providers advantage adjacent services (software, AI models, marketplaces) in ways that harm rival suppliers?
• Operational concentration and systemic risk: How does provider concentration affect resilience for critical sectors and public services?

The third study — assessing whether the DMA itself needs revision for cloud computing — could prompt targeted legislative adjustments or delegated acts to add cloud‑specific obligations if the commission concludes current rules leave gaps.

Possible outcomes​

• No gatekeeper designation, but targeted remedies — the Commission could conclude there is insufficient basis for designation but still recommend sector‑specific measures or greenlight targeted enforcement under competition law.
• Gatekeeper designation for cloud services — AWS and/or Azure could be formally added to the DMA’s gatekeeper list for cloud computing, triggering obligations such as interoperability, non‑discrimination, data portability rights and strict limits on self‑preferencing.
• DMA update — the Commission might decide to expand the DMA’s list of core platform services or add cloud‑tailored duties via delegated powers, even if formal gatekeeper status is not applied immediately.

---

What gatekeeper status would mean for cloud customers and providers​

Immediate compliance obligations​

Designation would mean concrete ex ante obligations for the cloud service offering, potentially including:

• Prohibitions on self‑preferencing of provider‑owned services and features.
• Obligations to enable interoperability and portability, lowering technical barriers to switching and hybrid/multicloud strategies.
• Transparency requirements for ranking, auctioning and allocation of infrastructure resources.
• Restrictions on using data gathered from business users to favour the provider’s own downstream services without consent.

These obligations could compel changes to licensing terms, APIs, default integrations and product packaging.

Enforcement and penalties​

The DMA grants the Commission strong enforcement tools. Non‑compliance can trigger fines of up to 10% of global annual turnover, rising to 20% for repeat or systematic infringements in some circumstances, plus the possibility of periodic penalty payments or structural remedies in extreme cases.

Customer impacts: benefits and trade‑offs​

• Benefits:
• Lower vendor lock‑in through enhanced portability and interoperability.
• Clearer rules on self‑preferencing and cross‑use of data, improving fairness for smaller software vendors.
• Stronger contractual leverage for European enterprises that rely on cloud infrastructure.
• Trade‑offs:
• Compliance costs tied to new reporting, audit and product segmentation obligations could be passed to customers.
• Potential feature fragmentation as providers redesign services to avoid regulatory exposure.
• Operational complexity for enterprises managing region‑specific behaviour of global cloud vendors.

---

How this ties to European digital sovereignty and AI strategy​

Europe’s push for digital sovereignty — the idea that critical digital infrastructure and capabilities should be less dependent on non‑European suppliers — has featured in policy debates for several years. The cloud investigations intersect with this objective along several dimensions:

• Access to compute and data for AI: Europe’s AI ambitions depend on reliable, affordable access to large compute and data processing platforms. If the Commission concludes hyperscalers impede fair access, it could impose obligations designed to level the playing field for European AI developers and smaller cloud providers.
• Regional resilience: Designation and new obligations could push vendors toward stronger local‑control commitments, contractual guarantees around data localisation, and more transparent governance for government and critical sector customers.
• Market development for European cloud vendors: Regulatory pressure on hyperscalers could create breathing room for European and regional providers, but only if policy steps are paired with industrial and investment strategies to grow market alternatives.

The investigations therefore have direct implications for competition policy, AI policy and industrial strategy in Europe.

---

Strengths of the Commission’s approach​

• Proactive remedying of systemic risks. The market inquiries acknowledge that cloud concentration is not purely an antitrust pricing problem; it creates systemic vulnerabilities and long‑term structural advantages that ex post enforcement may struggle to fix.
• Flexible use of DMA powers. The Commission’s ability to designate services as gatekeepers after a market study enables regulators to address rapid technological change and business models that sit outside static numeric thresholds.
• Policy coherence across EU digital rulebook. By aligning DMA scrutiny with wider initiatives (Data Act, DORA, AI Act), Brussels can pursue a coordinated strategy for market fairness, digital resilience and data governance.

---

Potential risks and downsides​

• Regulatory overreach could stifle innovation. Imposing ex ante obligations on highly dynamic infrastructure markets risks ossifying technical standards or deterring platform investment, especially where hyperscalers argue that scale drives innovation and price competition.
• Cost pass‑through to European businesses. Compliance and operational changes could raise cloud costs or complicate commercial arrangements, particularly for small and mid‑sized enterprises that lack bargaining power.
• Legal and political backlash. Designating cloud providers as gatekeepers would likely trigger lengthy legal challenges and political pushback from non‑EU governments and industry groups, prolonging uncertainty for customers.
• Fragmentation risk. If regulatory requirements differ markedly across jurisdictions, global cloud providers may adopt region‑specific product sets, raising complexity for multinational customers and possibly undermining interoperability gains.

These trade‑offs underline why the Commission’s market work must be careful and evidence‑driven rather than reflexive.

---

Practical implications for IT leaders and procurement teams​

Cloud‑dependent organisations should prepare for regulatory change now. Short, practical steps:

• Map critical cloud dependencies. Identify services, APIs and managed databases that represent high switching costs or single points of failure.
• Negotiate stronger contractual resilience. Seek explicit SLAs, failover options, and portability commitments in procurement and renewal talks.
• Adopt multicloud and hybrid patterns where feasible. Use containerisation, open standards and data abstraction layers to reduce provider lock‑in.
• Prepare for vendor‑specific policy changes. Build internal capacity to adapt to regionally differentiated provider behaviours or service fragmentation.
• Engage with regulators and trade bodies. Larger customers and industry consortia can feed operational realities into market investigations, shaping proportionate remedies.

These steps hedge operational risk while keeping options open for new market rules.

---

Scenarios to watch over the next 12 months​

• Investigation outcome A — designation: One or both providers are designated; immediate compliance notices and phased obligations follow. Expect litigation and rapid product re‑engineering.
• Investigation outcome B — targeted amendments to DMA: The Commission adopts delegated acts to add cloud‑focused obligations (for instance on data portability or non‑discrimination), without formal designation. Industry faces a mix of new compliance tasks.
• Investigation outcome C — market remedies or guidance: The Commission issues sector guidance or opens traditional competition cases on discrete practices (eg egress fees, data portability, or license tying).
• Investigation outcome D — status quo: The Commission concludes existing DMA rules suffice and opts for competition and supervisory measures outside DMA. Outcomes limited to voluntary commitments.

Each scenario carries different operational and legal consequences; enterprise planning should be scenario‑aware and flexible.

---

Strengths and weaknesses of the evidence base​

The Commission’s decision to open market investigations responds to a converging set of factual signals: market share concentration, real‑world outages that highlight systemic dependency, and persistent complaints about switching costs and licensing practices. Those empirical inputs are strong grounds to ask whether ex ante regulation is needed.
At the same time, cloud markets are fast‑moving. Rapid technological change (notably the rise of AI‑driven, GPU‑heavy workloads and new specialised entrants) can alter competitive dynamics quickly. This means:

• Any designation or obligation must be narrowly tailored to avoid regulatory lag.
• The Commission will need to rely on robust technical, contractual and market data to distinguish structural problems from transient competitive friction.

Where evidence is thin or outcomes highly uncertain, policy interventions should be proportionate and targeted to specific harms.

---

What vendors are saying — and what to read into it​

Hyperscalers are expected to push back on the premise that cloud infrastructure equals a classic platform "gatekeeper." Their core arguments are predictable:

• The cloud market is dynamic and competitive, with new entrants and price pressure.
• The DMA’s obligations were calibrated for consumer‑facing platforms, and imposing them on infrastructure could stifle innovation and create unintended cost burdens.
• Many downstream business decisions rest with their enterprise customers; the providers argue that designating them would not, on its own, cure switching costs or legacy application dependencies.

These are legitimate points about the risk of overreach. But they do not negate the structural realities regulators are examining: concentration, high lock‑in, and systemic resilience for critical services.

---

Final assessment — measured, targeted policy is the best path​

The Commission’s decision to investigate AWS and Microsoft Azure is a pivotal regulatory move that acknowledges cloud infrastructure’s centrality to Europe’s digital economy. The inquiry is justified by the twin realities of market concentration and the systemic consequences of outages. However, an effective outcome requires a surgical approach that balances three objectives:

• Protect competition and choice for business users and downstream ISVs.
• Avoid heavy‑handed rules that would reduce the incentives for hyperscalers to invest in capacity and innovation.
• Strengthen resilience and sovereignty through market‑friendly measures that lower switching costs and increase operational transparency.

If Brussels can target concrete, evidence‑based practices (eg restrictive licensing, opaque egress and porting constraints, or self‑preferencing in AI and software marketplaces) while preserving economies of scale that benefit customers, the investigations could deliver meaningful improvements in European cloud competition without imposing disproportionate costs.
For enterprises and IT leaders, the key takeaway is clear: treat regulatory risk as part of vendor risk. Mapping dependencies, negotiating stronger contractual protections, and investing in portability will pay dividends whether the DMA ends up designating gatekeepers or generating narrower cloud‑specific obligations.
The coming 12 months will be decisive. The Commission’s findings — and any resulting changes to the DMA or enforcement posture — will reshape how Europe buys, governs and relies on cloud infrastructure for the next decade.

---

Source: Digital Journal Amazon, Microsoft cloud services could face tougher EU rules