EU Opens DMA Probes into AWS and Azure Cloud to Curb Lock-In

The European Commission’s decision on 18 November 2025 to open three formal market investigations into Amazon Web Services (AWS) and Microsoft Azure under the Digital Markets Act (DMA) marks a major escalation in how Brussels intends to police cloud infrastructure and the competitive dynamics that underlie today’s AI-driven digital economy.

Background / Overview​

Cloud computing is no longer a background utility — it has become the strategic backbone for enterprise IT, public services, and the compute-intensive workloads that drive artificial intelligence. A handful of global hyperscalers now control the bulk of public cloud capacity in Europe, and the European Commission has signalled that this concentration, combined with observed commercial and technical frictions, justifies close regulatory scrutiny.
The Commission launched two company-specific market investigations — one targeting AWS, the other Microsoft Azure — together with a horizontal study to test whether the DMA’s rules and remedies, originally designed for consumer-facing platforms, can be sensibly adapted to infrastructure markets. Brussels said it aims to complete the inquiries within about 12 months, and under the DMA framework any service designated a “gatekeeper” would typically be required to come into compliance within six months of designation.
These inquiries are consequential because the DMA is an ex‑ante enforcement instrument that imposes specific obligations — such as non‑discrimination, data portability, and prohibitions on self‑preferencing — on designated gatekeepers and backs those duties with substantial penalties and remedial powers.

---

Why the EU moved now​

Strategic stakes: AI, resilience and sovereignty​

Three converging trends pushed cloud to the top of the EU policy agenda.

• The explosive growth of AI workloads has intensified demand for specialised hardware (GPUs and other accelerators) and tightly integrated managed stacks. Those capabilities are concentrated in hyperscaler platforms, amplifying the commercial value of incumbency and increasing switching friction for customers that depend on vendor-specific tooling.
• High‑impact outages at major cloud providers over the last several years have highlighted systemic resilience risks that can cascade across sectors — from media and retail to national public services and banking.
• European policymakers have grown more vocal about digital sovereignty: the desire to ensure that critical public‑sector services and industrial infrastructure can run on providers and configurations that guarantee legal, operational, and jurisdictional control.

Regulators see cloud not only as a competition problem but as a matter of strategic infrastructure governance. That broader political context helps explain why Brussels chose to use the DMA’s investigative powers rather than limiting itself to classical ex‑post antitrust probes.

Precedent: national probes and UK pressure​

The European track follows extensive national work, most prominently by the UK Competition and Markets Authority (CMA). The CMA’s provisional findings earlier in 2025 flagged that AWS and Microsoft together hold very large shares of cloud spending in the UK and recommended further action under Britain’s new digital markets powers. That national scrutiny helped crystallise the concerns now being examined at EU level: switching costs driven by egress fees, licensing practices that may favour incumbent clouds, and bundling/self‑preferencing of managed services.
The broader pattern is clear: national fact‑finding and industry reports created an evidentiary mosaic that Brussels is now integrating into a Europe‑wide assessment.

---

What the investigations will examine​

Core lines of inquiry​

The Commission’s probes will combine structural market analysis with detailed technical fact‑finding. Key areas of focus include:

• Gatekeeper designation mechanics: Do AWS or Azure — or specific cloud services they operate — function as indispensable intermediaries between business customers and end users, thereby meeting the DMA’s qualitative gatekeeper test even if some quantitative thresholds are not straightforward to apply?
• Switching friction and data portability: Are exit costs, egress fees, or export tooling structured in ways that materially deter migration between providers?
• Licensing and pricing practices: Does differential licensing (for example, conditions for running Microsoft software on non‑Azure clouds) create economic disincentives for customers to switch?
• Self‑preferencing and bundling: Do first‑party managed services, marketplaces, or AI stacks receive preferential placement, pricing, or performance that disadvantage independent ISVs and alternative infrastructure providers?
• Interoperability and proprietary control planes: Are control‑plane APIs, proprietary primitives, or platform primitives designed such that multi‑cloud operation or practical migration becomes infeasible?
• Resilience and systemic risk: How do operational concentration and outage dynamics affect public‑interest sectors and national critical infrastructure?

The horizontal study: is DMA fit for cloud?​

A distinctive third strand of the Commission’s work is methodological: testing whether the DMA — conceived around consumer metrics like monthly active users and ad‑driven ecosystems — fits an enterprise infrastructure domain where relevant dimensions include contract value, capacity quotas, latency, and specialised hardware access. The horizontal probe will examine whether DMA obligations need translation or adaptation to be technically and legally practicable for cloud markets.

---

The DMA toolbox and potential consequences​

The DMA creates a potent toolkit that, if mapped to cloud services, would bring immediate legal obligations and enforcement mechanisms into play.

• Mandatory duties for gatekeepers: These can include non‑discrimination in ranking and access, obligations to enable interoperability in specific circumstances, restrictions on unfair tying or bundling, and enhanced business‑user protections such as data portability promises.
• Enforcement powers and penalties: The DMA allows fines up to 10% of worldwide turnover for first breaches and up to 20% for repeated breaches, plus possible periodic penalty payments and, in extreme cases, structural remedies.
• Timeframes: The DMA generally provides a presumption mechanism based on quantitative thresholds, but where services do not meet those thresholds the Commission can launch qualitative market investigations; if designated, gatekeepers typically have six months to comply with DMA obligations.

If the Commission concludes that AWS, Azure, or specific cloud services should be designated, the immediate effect would be mandatory obligations to change product behaviour and contractual terms — with significant commercial and technical implications for both providers and customers.

---

Verified technical and legal details (what we can confirm)​

• The Commission announced the launch of three related market investigations targeting AWS and Azure and an assessment of the DMA’s applicability to cloud services on 18 November 2025.
• The DMA provides for designations of gatekeepers by a mixture of quantitative thresholds (benchmarks for turnover, market capitalisation, monthly end users, and business users) and qualitative tests when services act as important gateways between businesses and consumers. Those thresholds are set out in the DMA text, which also establishes a six‑month compliance window following designation and fines of up to 10% (and up to 20% for repeated breaches).
• The UK Competition and Markets Authority has previously flagged AWS and Microsoft as holding “significant unilateral market power” in cloud services and recommended further action under Britain’s digital markets powers; the CMA’s fact‑finding served as a proximate stimulus for Brussels’ inquiries.
• Regulators and independent industry trackers consistently report that the top three global cloud providers — AWS, Microsoft Azure and Google Cloud — account for the majority of public IaaS/PaaS spend in Europe, creating concentrated market dynamics.

Some finer points — such as precise market‑share percentages in every country, the Commission’s internal evidentiary record, and the companies’ full confidential responses to formal Commission questions — remain under investigation and are not yet publicly disclosed.

---

Critical analysis: potential strengths of the probe​

1. Tackle structural lock‑in and improve portability​

If regulation can reduce artificial switching costs — by limiting punitive egress fees, mandating clearer portability tools, and constraining licensing practices that favour a provider’s own cloud — European businesses stand to gain real bargaining power. Improved portability would encourage competition on service quality, price, and innovation.

2. Promote interoperability and an open ecosystem for AI​

Barring self‑preferencing and enforcing technical interoperability could expand opportunities for independent AI tooling, specialised European cloud providers, and regional players. That could accelerate a more pluralistic cloud market in which buyers can mix-and-match best‑of‑breed infrastructure and managed services.

3. Strengthen resilience and public‑sector confidence​

Rules that lower concentration risk and force better cross‑provider interoperability can reduce single‑point‑of‑failure exposures for critical public services. For governments seeking digital sovereignty, clearer obligations and enforceable portability are an important lever.

4. Signalling and deterrence​

DMA enforcement already resulted in major fines and behavioural constraints for other tech giants. Extending its reach credibly to cloud providers would signal to the market that the EU will act pre‑emptively where systemic risks to competition and resilience exist.

---

Critical analysis: risks and unintended consequences​

1. Translation problems — consumer rules vs. infrastructure realities​

The DMA’s original design assumed consumer‑facing platform dynamics with large numbers of identifiable monthly end users. Cloud infrastructure operates under different economics: long‑term enterprise contracts, capacity commitments, performance SLAs, and specialised hardware. Translating obligations like “interoperability” into specific, enforceable technical requirements for the cloud is legally and technically fraught and risks producing ambiguous or impractical remedies.

2. Investment and performance trade‑offs​

Hyperscalers argue that the economics of large, globally distributed data centres and custom silicon require long planning horizons and high returns. Heavy‑handed obligations that constrain product design or require disaggregation of integrated stacks could reduce incentives for frontier investment — for example in datacentre expansion or next‑generation accelerator design — if not carefully calibrated.

3. Cost and complexity for buyers​

Although the DMA aims to reduce lock‑in, compliance‑driven architectural changes could increase vendor complexity and operational costs for customers — at least in transition. Mandated interoperability layers or portability APIs could introduce performance overheads, versioning complexity, or new integration costs. Smaller vendors and public buyers face particular transitional risk.

4. Enforcement and fragmentation risks​

Applying broad ex‑ante obligations to infrastructure could prompt legal challenges and create inconsistency across jurisdictions. The UK, EU and national regulators may adopt differing remedies; multinational customers could face a patchwork of obligations that complicate procurement and governance.

---

What businesses and customers should do now​

Enterprises and public purchasers should treat the next 12–18 months as a period of regulatory uncertainty that requires proactive risk management.

• Map dependencies: Develop an inventory of cloud dependencies, including which services run on which cloud primitives (compute, managed databases, AI model hosting, identity services, networking), and identify vendor‑specific components.
• Review contracts and exit terms: Audit egress clauses, data export tooling, and migration warranties. Seek clearer SLAs and technical guarantees about export fidelity and timelines.
• Negotiate portability guarantees: Obtain contractual commitments to data export formats, migration assistance, and cost caps for data egress where possible.
• Pilot multi‑cloud resilience: Where business criticality demands, run resilience exercises (failover, recovery, cross‑cloud backups) to understand the real operational costs of moving workloads.
• Engage with procurement and legal teams: Ensure procurement strategies incorporate regulatory scenarios and that legal counsel models the implications of DMA designation on contractual obligations.
• Watch for standardisation opportunities: Support or monitor industry efforts to create open migration tools, standardised APIs, and interoperable formats that can reduce lock‑in irrespective of the regulatory outcome.

---

How hyperscalers are likely to respond (and what to expect)​

Hyperscalers typically pursue a multi‑track response: public reassurances of competition and investment, technical and contractual adjustments where possible, and coordinated legal engagement. Expect Amazon and Microsoft to:

• Emphasise competitive dynamics and alternative suppliers.
• Argue that technical and contractual choices are customer‑driven and optimized for performance and security.
• Offer targeted commercial concessions or product changes to address narrow behavioural concerns while resisting broad structural remedies.
• Cooperate with technical testing and provide confidential evidence to the Commission, while contesting any proposed measures that would materially harm their commercial models.

Regulatory design will therefore be as much a negotiation over technical specifics — e.g., what constitutes adequate portability — as it is a legal contest over the DMA’s scope.

---

Likely timeline and practical implications​

• The Commission set an approximate 12‑month target to complete the investigations; if maintained, that would lead to a public outcome by roughly mid‑late November 2026.
• If the Commission decides a cloud service qualifies as a gatekeeper, designated obligations typically include a six‑month compliance window, meaning the earliest compliance deadlines could fall in spring‑summer 2027.
• In the meantime, expect a period of heightened regulatory scrutiny, more detailed information requests to the companies, stakeholder consultations, and parallel national actions that may inform the EU’s final view.

---

What success and failure look like​

• A “successful” regulatory outcome for competition would be narrowly tailored remedies that reduce demonstrable lock‑in (egress pricing reform, clearer portability guarantees, constrained self‑preferencing) while preserving incentives for large‑scale investment in infrastructure and performance.
• A “failed” outcome could take two forms: either overly rigid remedies that hamper innovation and increase long‑run costs for European buyers, or weak enforcement that leaves existing lock‑in and strategic vulnerabilities intact.

The central challenge for regulators will be striking this balance: achieving tangible gains for contestability and resilience without imposing technical mandates that degrade service quality or investment incentives.

---

Final assessment: what it means for the European cloud landscape​

Brussels’ move to investigate AWS and Azure under the DMA is a watershed moment. It signals that the EU sees cloud infrastructure as more than an economic input — it is strategic infrastructure deserving of ex‑ante rules where necessary. The inquiry reflects legitimate concerns about concentration, switching costs, and the strategic risks posed by an AI‑dominated cloud ecosystem.
At the same time, the exercise will test the limits of one-size‑fits‑all digital regulation. The DMA’s ambitions collide with the technical particularities of enterprise infrastructure. The critical question is whether regulators can craft remedies that are both legally robust and technically precise: measures that open markets and lower lock‑in without creating perverse incentives that undermine the very innovation the policy seeks to protect.
For enterprises and public bodies, the coming months are a prompt to shore up preparedness: map cloud dependencies, revisit contracts, and stress‑test multi‑cloud strategies. For investors and technology leaders, the investigation will be a key signal about the EU’s appetite for shaping the cloud market’s future architecture.
The outcome will influence not only how AWS and Azure operate in Europe, but how global cloud economics, AI platform strategies, and the architecture of digital sovereignty evolve over the next decade. The regulatory process that begins now is likely to produce incremental reforms and technical debates before it settles into a new operating reality for cloud services in Europe.

---

Source: Українські Національні Новини https://unn.ua/en/news/amazon-and-m...liance-with-fair-competition-rules-in-the-eu/