EU Probes AWS and Azure as DMA Gatekeepers: Cloud Competition and Sovereignty

The European Commission has opened formal market investigations to decide whether Amazon Web Services (AWS) and Microsoft Azure should be treated as regulated “gatekeepers” under the EU’s Digital Markets Act (DMA), and has launched a parallel, horizontal review of whether the DMA’s toolbox is fit to police cloud infrastructure — a move that puts hyperscale cloud providers at the centre of Europe’s strategy for competition, resilience and AI-era sovereignty.

Background​

Cloud infrastructure — long regarded as an operational procurement decision — has been recast as strategic public policy. Hyperscale providers now deliver not just compute and storage but integrated developer platforms, managed AI stacks, identity fabrics and global networking that underpin national services, finance, healthcare and commercial software ecosystems. Regulators increasingly view a concentrated cloud market as a potential bottleneck for competition and a systemic risk for resilience and digital sovereignty.
The DMA is an ex‑ante regulation intended to curb entrenched platform power by designating certain services as “gatekeepers” and imposing mandatory obligations such as non‑discrimination, data portability, interoperability and bans on self‑preferencing. Typical designation under the DMA relies on bright‑line quantitative thresholds (for example defined turnover, market capitalisation and user numbers), but the law also gives the Commission discretionary investigatory powers to bring services into scope that functionally act as gateways even where the numeric thresholds don’t fit neatly — a legal lever Brussels is now testing for cloud services.

---

What Brussels has opened and why it matters​

Three parallel inquiries​

• Two company‑specific market investigations: one each for AWS and Microsoft Azure to assess whether those cloud offerings function as DMA “gatekeepers” in practice.
• A horizontal study to determine whether the DMA’s obligations — designed mainly around consumer platforms — are legally and technically appropriate for enterprise cloud markets, or whether tailored measures are needed.

The Commission has signalled an ambition to complete the fact‑finding within roughly 12 months, after which it may choose to designate services, require remedies, or recommend legislative clarifications.

Why the Commission moved now​

Three converging trends explain the timing:

• Market concentration: Independent industry analysis places Amazon, Microsoft and Google together at roughly 70% of European cloud spending, leaving European regional providers with a materially smaller share. That concentration gives the big three structural leverage.
• Switching friction and commercial lock‑in: Longstanding complaints from customers and national authorities about egress charges, proprietary APIs, licensing incentives and bundled managed services that increase migration costs and complicate multi‑cloud strategies.
• Resilience and AI demand: High‑impact outages and the rapid adoption of specialized AI accelerators and managed AI platforms exaggerate lock‑in and make dependency on a few providers a strategic concern. Recent outages at AWS and other providers have been used as concrete evidence of systemic fragility.

These forces make cloud governance a mix of traditional competition law, industrial policy and critical‑infrastructure resilience — which is precisely the policy challenge Brussels now faces.

---

What “gatekeeper” would mean for cloud providers and their customers​

If the Commission designates a cloud service as a gatekeeper, the DMA’s ex‑ante obligations would apply to that service. Those obligations are strict and include:

• Non‑discrimination: no unfairly favouring first‑party services or partners.
• Interoperability and access: technical measures and interfaces to reduce lock‑in where feasible.
• Data portability: obligations to make data transferable and reduce exit friction.
• Bans on unfair tying and self‑preferencing: limits on using platform control to exclude rivals.

Non‑compliance carries heavy penalties: fines can reach up to 10% of global turnover for a first infringement and up to 20% for repeated breaches, with the Commission also empowered to impose periodic penalty payments and structural remedies in extreme cases. For corporate IT leaders, gatekeeper obligations could translate into immediate, measurable changes: clearer contractual terms on data export, mandated interoperability points, limits on vendor‑preferred pricing practices and new compliance supervision. For vendors, obligations would likely force product and pricing re‑engineering and could alter the economic calculus of building proprietary managed services or specialized silicon integrations.

---

Facts and numbers: what the evidence shows​

• Market concentration: Synergy Research Group’s regional analysis and multiple industry trackers show the top three global providers — AWS, Microsoft Azure and Google Cloud — now account for roughly 70% of the European cloud market, with European incumbents holding about 15% collectively. These figures are repeatedly cited in regulator briefings and form a factual basis for the Commission’s concerns.
• DMA mechanics: The DMA lists core platform services and sets quantitative thresholds for presumptive designation (including turnover and user metrics), but crucially the Commission can still designate services following market investigations when numerical thresholds are not the natural measure of market power — a critical point for cloud infrastructure where monthly consumer users isn’t the right metric.
• Outages and resilience: High‑profile AWS outages in recent months — including a major incident in October that affected widely used consumer and enterprise services — have illustrated how a single provider failure can cascade across many downstream services and sectors. Regulators cite such incidents when discussing systemic risk.
• Timeline: The Commission’s public statements and reporting indicate a fact‑finding window of about 12 months for the market investigations into AWS and Azure, a timetable that gives room for detailed technical evidence, stakeholder submissions and possible remedies.

Where reporting rests on anonymous briefings or preliminary filings, Brussels’ formal notices and the Commission’s own web pages remain the definitive record — and the Commission’s capacity to designate services after qualitative investigations is the central legal hinge in the cloud debate.

---

AWS and Microsoft responses — a preview of the advocacy fight​

Both companies have publicly signalled different emphases in their responses. AWS warned that designating cloud providers as gatekeepers risks stifling invention and raising costs for customers, and emphasized the sector’s dynamism and choice. Microsoft described Europe’s cloud sector as innovative and competitive and said it would cooperate with the inquiry. Expect both companies to submit extensive technical evidence, commercial data, and legal arguments in the months ahead. Those statements foreshadow a high‑stakes engagement: vendors will argue such designations undermine investment and innovation incentives; regulators will counter that unchecked concentration raises durable harms for competition, sovereignty and resilience.

---

Critical analysis — strengths and potential risks of the EU’s approach​

Strengths and opportunities​

• Proactive resilience policy: Treating cloud concentration as a structural risk allows regulators to address cascading outages and systemic fragility before another large‑scale failure imposes major societal costs. Recent outages give urgency to this logic.
• Addressing real lock‑in mechanics: The DMA’s obligations — if sensibly adapted — could reduce contractual and technical switching friction (egress pricing, proprietary APIs, licensing differentials) that make multi‑cloud and failover architectures costly in practice.
• Leverage for European digital sovereignty: Bringing cloud into the regulatory frame creates negotiating leverage for Europe to secure better data portability, local investment and technical standards that protect public interest use cases. Synergy’s data showing the top three controlling 70% of the EU market feeds that policy rationale.
• Precedent for AI governance: Because the most demanding AI workloads depend on specialised hardware and managed stacks, DMA‑style remedies could help prevent vertical foreclosure where cloud incumbents privilege their own models and tooling.

Risks and unintended consequences​

• Regulatory mismatch risk: The DMA was crafted for consumer‑facing core platform services; mapping its obligations to complex infrastructure semantics (latency, control‑plane primitives, hardware accelerators, contractual SLAs) is technically fraught and could produce impractical obligations. The Commission’s horizontal study acknowledges this difficulty.
• Potential to deter investment: Cloud providers invest billions in global data centres and bespoke hardware. Broad, prescriptive interoperability mandates or forced divestments could chill investment or shift costs to customers, especially for high‑performance and specialised AI infrastructure. AWS has made this direct argument.
• Security and complexity trade‑offs: Forced third‑party access or open control‑plane interfaces may increase attack surfaces or operational complexity; interoperability designed without security engineering could create new vulnerabilities. Independent commentators have warned of such trade‑offs in other DMA debates.
• Fragmentation and compliance costs: Differing national responses across the EU or inconsistent requirements could fragment the single market and raise procurement complexity for European businesses, particularly SMEs that lack bargaining power to enforce favourable contract clauses.
• Risk of legal gaming: Hybrids of compliance and circumvention could emerge — for example, re‑labelling services, shifting feature sets across product lines, or carving narrow compliance windows that preserve the most valuable forms of lock‑in.

---

What this means for IT leaders, cloud architects and WindowsForum readers​

The Commission’s decision to probe AWS and Azure is actionable policy, not a theoretical debate. For enterprise IT teams and procurement leads, this phase is a window to reduce exposure and influence outcomes.

• Inventory dependencies now. Map which applications, data paths and AI workloads depend on which cloud provider services and identify single‑provider failure points. Use both technical and commercial views: APIs, managed services, licensing terms, and network/egress paths.
• Revisit and negotiate exit terms. Egress pricing, data formats, transfer timelines, and IP/licensing clauses should be expressly evaluated in renewals. Ask vendors for realistic migration playbooks and measurable performance for data export.
• Test real portability and DR. Don’t assume multi‑cloud is proven by marketing; conduct practical portability tests for high‑value workloads and validate SLA behaviour under failover scenarios. Technical portability tests reveal hidden friction that regulators are now probing.
• Consider architectural mitigation. Where appropriate, move to loosely coupled architectures, container and orchestration standards, or neutral middleware that reduce dependence on provider‑specific managed services. This is not always feasible for high‑performance AI but can dramatically lower lock‑in for many apps.
• Engage compliance and legal early. Track the Commission’s consultations and be ready to submit evidence — both vendors and customers will shape the factual record the Commission uses. Well‑documented customer experiences about egress, performance and switching costs carry weight.
• Monitor vendor roadmaps for “DMA‑safe” product designs. Vendors will respond with product and pricing changes; some will offer migration tooling, new contractual guarantees, or regional investment commitments. Evaluate these offers critically, not simply on marketing promises.

---

How the probes will play out — likely phases and tactical expectations​

• Evidence gathering (now — next 6–12 months): The Commission will collect contractual texts, technical testimony, market data and stakeholder submissions. Vendors and large customers will provide detailed evidence. The public timetable aims for a roughly 12‑month inquiry period.
• Preliminary findings and remedy discussions: If the Commission finds sufficient qualitative evidence of gatekeeper behaviour, it may either designate services or propose targeted remedies and open a remedies dialogue. Designation typically comes with a grace period to comply with DMA obligations.
• Legal and political contestation: Expect vigorous legal challenges and intense lobbying. Vendors will argue the DMA’s technical fit for cloud is misplaced; member states and industry groups will debate sovereignty vs. competitiveness trade‑offs.
• Outcome scenarios: The Commission could (a) designate AWS and/or Azure as gatekeepers for specific cloud services; (b) decline designation but push targeted, sectoral remedies; or (c) recommend legislative clarifications to tailor the DMA to infrastructure markets. Each outcome has distinct implications for procurement, product design and compliance workstreams.

---

Technical feasibility: can the DMA’s rules be adapted to cloud?​

Designing enforceable, technical interoperability rules for cloud is non‑trivial. Questions that must be solved include:

• What level of interoperability is feasible without degrading performance? (API compatibility, control‑plane semantics, or only higher‑level data export?
• How to define and measure “switching cost” in cloud terms — is it data volume, application re‑architecture effort, or availability of compatible managed services?
• How to protect security while opening access? Mandated interfaces must be secure, auditable and enforceable.

Meeting these design constraints will require collaboration between regulators, standards bodies and engineering teams — a heavy lift, but not impossible if the goals are narrowly targeted and technically realistic.

---

Final verdict: a regulatory inflection point with wide implications​

The Commission’s probes mark a pivotal moment. If Brussels concludes that cloud infrastructure can, in practice, act as a DMA gatekeeper, the result could reshape vendor economics, accelerate portability tooling, and strengthen Europe’s bargaining position on data portability and sovereignty. Conversely, miscalibrated remedies risk raising costs, fragmenting standards, and imposing compliance burdens that slow innovation where it matters most — in AI and high‑performance workloads.
For WindowsForum readers and IT decision‑makers, the practical takeaway is clear: use this regulatory window to harden your organisation’s cloud posture, document evidence of switching friction, negotiate exit and portability guarantees, and test resilience assumptions. The next 12 months will determine whether the DMA becomes an instrument of cloud contestability — or whether the GDPR‑style scramble for technical detail will push outcomes into courts and political compromise. Either way, the era in which cloud was purely an operational commodity is over.

---

Europe is now testing whether the legal architecture that rewired consumer platforms can be adapted to the infrastructure that runs the digital economy. The answer will define how enterprises procure, design and secure their cloud estates for years to come.

---

Source: mint EU to assess whether Amazon and Microsoft cloud businesses need extra scrutiny | Mint