EU Probes AWS and Azure as DMA Gatekeepers After Cloud Outages

The European Commission has opened formal scrutiny of Amazon Web Services and Microsoft Azure to determine whether their cloud platforms should be designated as “gatekeepers” under the Digital Markets Act (DMA) — a move triggered by a string of high‑impact outages that highlighted how concentrated cloud dependence can create systemic risk across business and government services.

Background​

The DMA is the EU’s flagship competition and platform‑control law designed to curb entrenched market power among a small number of large digital platforms. Its enforcement toolbox includes the power to designate companies as gatekeepers — firms that operate “important gateways” between businesses and consumers — and to impose mandatory do’s and don’ts, with heavy fines for non‑compliance. The Commission may conclude market investigations within about 12 months and typically communicates preliminary findings within six months; gatekeepers designated under the DMA have a compressed compliance timetable and may face fines of up to 10% of global annual turnover for breaches. This week’s developments place cloud infrastructure — the foundational layer for modern apps, banking, transport, government services, and increasingly AI — squarely in the regulator’s sights. The Commission’s inquiry has two linked strands: a company‑level probe into whether AWS and Azure meet the DMA’s qualitative criteria for being designated as gatekeepers for cloud computing services, and a sectoral study to assess whether the DMA as written can effectively address systemic risks and competition problems in the cloud market.

---

Why now: the outages that forced the issue​

The AWS disruption — scale and ripple effects​

On 20 October a major outage at a critical AWS region caused cascading failures across dozens of high‑profile services and consumer apps, producing widespread reports of outages from gaming platforms to financial services and airline check‑ins. The incident was traced to DNS/DynamoDB and networking issues in the US East region, and many customers reported prolonged partial outages before recovery measures took hold. The event revived stark questions about the resilience risks that come with concentrating infrastructure among a handful of global cloud providers. Industry observers and monitoring firms warned of very large economic costs from even short but widespread cloud failures. Some commentators and monitoring vendors suggested potential economic impacts in the billions, with one expert offering a higher figure (an extrapolation into the “hundreds of billions”) driven by lost productivity and business interruption. That upper‑range estimate should be treated as an expert projection rather than an audited total — it is plausible as an order‑of‑magnitude warning, but not a verified, economy‑wide accounting.

The Azure incident — government and critical services affected​

Less than two weeks later Microsoft Azure experienced its own significant outage that disrupted Microsoft’s first‑party services and a range of customer systems, from airports and telecoms to parliamentary voting systems. Notably, the Scottish Parliament suspended voting when its electronic voting system — reliant on Microsoft services — became unavailable, a practical illustration of the political and civic vulnerability introduced by cloud outages. The root cause Microsoft reported was an inadvertent configuration change in edge/DNS infrastructure (Azure Front Door), which propagated errors across many hosted services. Taken together, the two incidents concentrated regulatory attention. They produced public debate on the adequacy of resilience planning by cloud vendors, the contractual terms that limit customer control, and whether the current DMA framework — which was not originally tuned to address hyperscale cloud infrastructure — provides the necessary tools to protect competition, interoperability and public interest in this critical layer.

---

What the EU is investigating​

Two parallel tracks​

• Company‑level market investigations to decide whether AWS and Microsoft Azure qualify as gatekeepers for cloud computing services despite not meeting the DMA’s standard quantitative thresholds (45 million EU monthly end users and 10,000 yearly active EU business users). The Commission will assess whether qualitative features of the cloud market create de facto gatekeeper power.
• A sectoral review of whether the DMA’s current structure and remedies are fit for purpose for cloud computing. This will examine interoperability obstacles, access to data for business customers, bundling and tying practices, and imbalanced contractual terms such as egress fees and exclusivity clauses. The aim is to decide if the DMA needs specific amendments or tailored remedies for cloud services.

The Commission’s market investigations are expected to progress under the DMA’s procedural timelines (with an aim to reach decisions within roughly 12 months), while the broader legislative/sectoral review will take longer, with officials signaling a potential 12–18 month horizon to complete the efficacy review. These timeframes reflect the DMA’s standard procedural windows for market investigations and the complexity of technical evidence collection.

Key facts the Commission will probe​

• Whether cloud providers’ technical choices (proprietary APIs, unique extensions, custom hardware stacks and service‑specific features) create switching costs that effectively lock customers in.
• Whether contractual practices — including data access restrictions, egress fees, and preferential treatment for a provider’s own services — materially weaken competition.
• The real world scope of market positions: how many websites and business services rely on each provider; the distribution of workloads across hyperscalers and smaller providers.
• Systemic risk and public interest exposures: critical public services whose availability is tied to one vendor, and whether remedies should include minimum interoperability or redundancy requirements.

---

How strong are AWS and Azure in the market today?​

Quantifying market power in cloud is not straightforward: different metrics (IaaS/PaaS revenue share, number of hostnames, market value of workloads, or the share of the top 1,000 websites) produce different pictures.

• Infrastructure metrics (IaaS/PaaS revenue) typically show a three‑way competitive landscape where AWS, Microsoft Azure and Google Cloud together dominate the global market. That revenue balance has historically placed AWS and Azure at the top of the sector, with the precise shares shifting by quarter and methodology.
• Measurements of website hosting and hostnames (the visible “live websites” footprint) are an alternative lens. Industry compilation services that crawl the web and aggregate hosting fingerprints estimate that approximately 50 million live websites rely on AWS — a non‑trivial share of the internet — and that Microsoft Azure hosts a substantially smaller slice in terms of hosted website count. These figures are estimates based on third‑party crawls and should be treated as indicative rather than exact, because tracking hosting at web scale is subject to classification errors (CDN fronting, reverse proxies, multi‑tenant hosting).
• National regulators have also signalled concerns independently. The UK Competition and Markets Authority, in provisional analysis of its cloud market work, has flagged sustained returns and technical features that can foreclose competitors — findings the EU will likely weigh alongside the Commission’s evidence gathering.

In short: plurality of evidence points to very strong market positions for the hyperscalers. The Commission’s question is whether that strength, combined with cloud market structure and technical lock‑ins, translates into the kind of bottleneck power the DMA is meant to remedy.

---

What designation as a gatekeeper would mean in practice​

If the Commission designates a cloud provider as a gatekeeper for cloud computing services, several important consequences follow:

• The firm would be required to comply with DMA obligations for the relevant core platform service(s) within the statutory timelines (typically a months‑level window to submit compliance plans and then a six‑month compliance window for certain obligations). The DMA already prescribes a menu of behavioural requirements that are directly applicable once designation is made.
• Non‑compliance may trigger fines of up to 10% of the undertaking’s total worldwide annual turnover for single breaches, and up to 20% for repeat or systemic failures, along with the possibility of behavioural or structural remedies in extreme cases.
• Specific remedies for cloud could include mandated interoperability standards (APIs and data formats), limits on egress charges deemed anti‑competitive, enforceable commitments to remove contractual clauses that impede portability, and more granular transparency obligations about profiling and automated control systems.
• A designation would also expand the Commission’s oversight toolkit: the DMA allows the Commission to open compliance investigations, require audits, seek injunctions and impose periodic penalty payments to secure enforcement.

---

Strengths of the EU’s approach — what it could achieve​

• Targeted leverage on structural risk: The DMA is one of the first regulatory instruments that can impose ex ante obligations and binding behavioural rules on digital platforms. Applying it to cloud would let regulators move beyond after‑the‑fact antitrust remedies, and require preventive measures to reduce systemic exposure.
• Focus on interoperability and portability: The DMA’s emphasis on avoiding self‑preferencing and enabling business users to reach customers without being locked into a single platform could, if tailored correctly, materially lower switching costs in cloud services.
• Speed and legal clarity: DMA procedures are faster than traditional antitrust investigations, which can take years. A one‑year market probe to reach a designation decision is designed to be timely and reduce the lag between harm discovery and remedy imposition.
• Deterrence and enforceability: Penalties of up to 10% of global turnover create real financial incentives to comply, and the DMA’s implementation model (direct obligations) reduces reliance on case‑by‑case litigation.

---

Risks, trade‑offs and legal pushback​

• Regulatory overreach and unintended consequences: Designing ex ante obligations for a technically complex and rapidly evolving market risks creating rigid rules that hamper innovation, raise compliance costs, or reduce the ability of cloud providers to deploy efficiency improvements (network optimisations, proprietary accelerators) that benefit customers.
• Measurement and designation complexity: The DMA’s original thresholds are user and business count‑based, a poor fit for enterprise‑facing cloud contracts that do not expose per‑user metrics. Using qualitative criteria to designate gatekeepers will invite legal challenges and political pushback, and regulators will need rock‑solid empirical evidence to support any designation decision.
• International frictions: Heavy EU regulation of US‑headquartered cloud providers will feed into broader trade and geopolitical tensions, particularly if remedies are perceived as discriminatory or protectionist. The earlier EU fines under the DMA against notable platforms already drew critical responses from the companies and political actors. Those dynamics complicate enforcement and may lead to cross‑border litigation and appeals.
• Fragmentation risk: If the EU mandates European‑specific technical or data localisation requirements as remedies, it could accelerate a fragmentation of cloud architectures (regional forks of APIs or compliant stacks) that increase complexity and costs for global customers. That said, carefully calibrated interoperability obligations could reduce fragmentation by creating common standards rather than unique, national requirements.

---

What to watch next (short and medium term)​

• Formal market investigation notices: the Commission will either open formal market investigations under the DMA or begin an evidence‑gathering process with stakeholders. Expect initial notices and requests for documentary submissions within weeks to months.
• Preliminary findings within six months: the DMA process envisages communicating preliminary findings to the parties within roughly six months; those findings will indicate whether the Commission preliminarily considers designation warranted.
• Parallel sectoral review outputs: the Commission’s 12–18 month sector review could recommend DMA amendments, bespoke cloud obligations, or new interoperability standards.
• Industry responses and litigation: hyperscalers and industry groups will likely provide coordinated submissions and may challenge any designation decisions in EU courts, arguing that the DMA is being over‑stretched beyond its original intent.

---

Practical implications for enterprises, governments and cloud architects​

• Revisit multi‑cloud and hybrid strategies: Organizations should accelerate resilience planning that avoids single‑provider criticality for mission‑critical services, using multi‑region and multi‑cloud architectures where feasible, with tested failover and clear recovery runbooks.
• Re‑negotiate contractual clarity: Now is the time to review contracts for data portability clauses, egress pricing, guaranteed export/import tooling, and SLAs that bind providers to meaningful recovery and accountability commitments.
• Inventory cloud dependencies for public services: Governments should identify critical processes that run on single provider stacks and create contingency plans, including options for local or on‑prem fallbacks for high‑impact civic functions.
• Invest in observability and testing: Enterprises should expand independent monitoring and chaos engineering exercises to validate recovery processes and detect brittle dependencies that only become visible under stress.

---

Policy options the EU might consider (and their trade‑offs)​

• Mandated interoperability standards for core cloud functions (e.g., identity, storage formats, orchestration interfaces): this would reduce lock‑in but risks standardising away useful innovation unless standards are agile and continuously updated.
• Limits on anti‑competitive contract terms (egress fees, exclusivity): could increase switching but might reduce the ability to price differentiated services and fund large infrastructure investments.
• Minimum resilience and transparency obligations for providers of infrastructure underpinning critical services: would raise the bar for public tendering and provide governments with better incident data, at the cost of additional regulatory compliance burdens for providers.
• Encouraging regional cloud alternatives and certification programs: strengthens sovereignty but may increase costs and fragmentation.

Each option requires careful calibration to avoid undermining the competitive dynamics that have driven price declines and rapid capability growth in cloud services over the past decade.

---

Final analysis — balancing systemic risk against innovation​

The EU’s move to evaluate whether AWS and Azure should be treated as DMA gatekeepers for cloud services is a consequential evolution of digital regulation. The Commission is responding to tangible, observable harms: cascading outages that affect critical infrastructure, public services and large swaths of the digital economy. There is a clear public interest case for reducing systemic dependencies and enhancing portability and interoperability in cloud computing.
At the same time, there is a real need for proportionality. Overbroad designation or blunt obligations could unintentionally undermine efficiency, slow investments in next‑generation infrastructure and provoke damaging regulatory fragmentation. The single most important outcome regulators should aim for is targeted remedies that materially reduce switching costs, increase transparency, and require robust resilience measures — without freezing the market dynamics that have delivered scale, innovation and falling prices.
The Commission’s challenge is technical, economic and legal: it must produce a defensible evidentiary record, craft remedies that are light on unintended consequences, and coordinate across jurisdictions to avoid a patchwork of conflicting obligations for a globalized cloud industry. For users, businesses and public institutions the immediate practical takeaway is straightforward: the risks that regulators are now discussing are real, visible and solvable — but they will not be solved by regulation alone. Architecture, contracts and contingency planning will determine whether individual organizations are vulnerable to the next hyperscaler outage.
Expect a busy year ahead: the Commission’s market investigations and sector review will shape not just EU policy, but global practices for cloud governance, procurement and resilience. Businesses that act now to reduce single‑vendor exposure and to insist on contractual portability will be better placed to ride through regulatory change and to reduce the operational risks that prompted this regulatory reckoning.

---

Source: Silicon Republic https://www.siliconrepublic.com/bus...atekeeper-cloud-services-european-commission/