EU Probes AWS and Azure Cloud Under DMA to Test Gatekeeper Rules

The European Commission’s decision to open formal market investigations into the cloud businesses of Amazon Web Services (AWS) and Microsoft Azure — together with a third, cross‑cutting probe to test whether the Digital Markets Act (DMA) can sensibly be applied to cloud infrastructure — marks a decisive escalation in Brussels’ ambition to treat hyperscale cloud services as potentially “gatekeeper” platforms and to weld competition policy to digital sovereignty and resilience planning.

Background​

Cloud computing has moved from a cost‑saving option to the strategic backbone for business, government, and AI deployments. A small group of hyperscalers now provide the majority of public cloud capacity globally, and that concentration has prompted regulators to ask whether market structure and provider practices are creating durable barriers to competition, resilience gaps, and lock‑in risks for European economies. The European Commission’s newly opened inquiries are explicitly framed by those concerns and by a desire to determine whether the DMA — the EU’s ex‑ante competition tool for digital gatekeepers — can or should be extended to cloud infrastructure.
The DMA already carries potent enforcement tools: fines up to 10% of worldwide turnover for first infringements and up to 20% for repeated violations, plus periodic penalties and, in the most extreme cases, behavioural or structural remedies. These figures and enforcement powers are codified in the DMA’s legal text and Commission guidance.

---

What the Commission is actually investigating​

Three parallel inquiries — what they are testing​

• Two focused market investigations: one into AWS and one into Microsoft Azure. These ask whether specific cloud offerings and provider behaviour meet the DMA’s gatekeeper functional and economic tests.
• A third, horizontal probe: a methodological assessment of whether the DMA’s existing toolbox — drafted initially for consumer‑facing platforms — is fit for an infrastructure market with different metrics, technical primitives, and procurement realities.

The Commission has signalled it intends to complete these inquiries within a roughly 12‑month timeframe, allowing for detailed technical evidence, stakeholder consultations, and potential remedies if the investigations find actionable concerns.

Core lines of inquiry​

Investigators will likely focus on a short list of structural and behavioural mechanics that can raise effective switching costs and favour incumbents:

• Data portability and egress pricing — charges and technical obstacles that make migration slow, risky, or expensive.
• Self‑preferencing and bundling — whether first‑party managed services, marketplaces, or performance priorities privilege the host provider’s ecosystem over third‑party rivals.
• Licensing and commercial conditions — differential pricing or licensing that makes running the same workload on competing clouds materially more expensive.
• Interoperability and control‑plane access — proprietary APIs, runtime primitives, or control‑plane features that effectively lock workloads in.
• Operational resilience and systemic risk — whether concentration creates fragility that threatens public services and critical infrastructure.

These are not speculative points: national competition authorities (notably the UK’s Competition and Markets Authority) and industry studies have repeatedly flagged similar frictions, giving Brussels a rich evidence base to start from.

---

Why Brussels moved now​

A confluence of political, economic, and technical drivers pushed cloud into the DMA crosshairs.

• Market concentration: Independent market trackers and national authorities report that AWS, Microsoft and — to a lesser degree — Google Cloud account for a lion’s share of public cloud spend in many European markets. That concentration manifests as scale advantages, network effects and long time horizons that favour incumbents.
• High‑impact outages: Recent, widely publicised outages at hyperscalers exposed how dependent downstream services — including public institutions and critical business systems — are on a handful of cloud primitives (DNS, global ingress/egress fabrics, identity and managed databases). Those incidents reframed cloud from a commercial convenience to systemic infrastructure.
• The AI accelerant: Generative AI and large model workloads drastically increase demand for specialised compute, proprietary stacks and vendor‑specific accelerators, deepening lock‑in and raising the strategic stakes of cloud competition.
• Digital sovereignty: EU policymakers have elevated “digital sovereignty” as a cross‑cutting policy goal — ensuring that public services, critical infrastructure, and AI supply chains can rely on verifiable, contestable platforms that meet European legal and security norms.

These drivers, taken together, explain why Brussels is no longer content with case‑by‑case antitrust enforcement and instead is exploring ex‑ante, structural tools to shape contestability in cloud markets.

---

Legal mechanics: how the DMA could map (or not) to cloud​

The DMA is designed around quantitative thresholds (user counts, market capitalisation) and functional tests tailored to consumer‑facing core platform services. Mapping that framework onto cloud — where “users” are enterprise customers, and “services” may be IaaS/PaaS primitives with different performance semantics — is complex.
Key legal questions the Commission must resolve include:

• What constitutes a “core platform service” in the cloud context? Is IaaS/PaaS functionally equivalent to app stores or search from a gatekeeper perspective?
• How should the DMA’s quantitative thresholds be applied to enterprise cloud contracts, indirect markets (ISVs, marketplaces), and AI‑specific infrastructure?
• What remedies can be both enforceable and technically feasible without undermining the performance and security that large‑scale clouds deliver?

If the Commission decides the DMA is applicable, possible outcomes range from targeted obligations (non‑discrimination, portability tech standards, egress transparency) to full gatekeeper designation with mandatory behaviour rules and large financial penalties for non‑compliance. If the DMA is judged ill‑fitted, Brussels could instead craft sector‑specific remedies or combine DMA‑style duties with sectoral regulation.

---

What this means for cloud providers​

The hyperscalers are likely to contest the premise that scale equals anti‑competitive conduct. Their immediate arguments will emphasise:

• Consumer and customer benefits from scale — lower prices, global availability, and rapid innovation.
• Investment and security trade‑offs — that imposing structural or technical constraints could raise costs and slow capacity investment in Europe.
• Technical feasibility concerns — that prescriptive interoperability rules could reduce performance or create security risks.

Microsoft has publicly said it will participate and cooperate with the probe, while other providers have warned that blunt regulatory intervention could backfire for European businesses by raising costs or reducing innovation. These are predictable political lines that will shape the factual and legal record over the next 12 months.

---

Stakes for customers, competitors and Europe​

The probes are consequential for four overlapping constituencies.

• Public buyers (governments and large agencies) want stronger guarantees on data residency, legal jurisdiction, and resilience. Regulation that reduces lock‑in could increase bargaining power for public procurement.
• Enterprises and ISVs worry that fragmentation or inconsistent obligations across jurisdictions could increase operational complexity and costs. At the same time, they stand to benefit from greater portability and less friction when moving workloads.
• Smaller cloud and European providers hope the probes will yield measures that lower entry barriers and encourage a more competitive domestic cloud ecosystem.
• Global trade and tech diplomacy watchers see this as a potential source of transatlantic friction: tougher EU ex‑ante rules on US‑headquartered hyperscalers could trigger political pushback and wider trade negotiations.

---

Likely regulatory outcomes — ranked​

• Targeted, technical obligations (most probable): The Commission imposes specific requirements on data portability, egress transparency, and non‑discrimination between first‑party and third‑party services. These would be fine‑tunable and designed to avoid forcing wholesale architectural changes.
• Partial DMA designation for narrow cloud services: Rather than treating entire cloud stacks as gatekeeper services, Brussels could designate discrete cloud offerings (for example, managed marketplaces or identity fabrics) as regulated core platform services.
• Sectoral hybrid approach: The Commission combines DMA‑style obligations with sectoral rules (Data Act, AI Act) to create cross‑cutting obligations for cloud providers serving critical infrastructure.
• No DMA action — competition law remedies only (less likely): Authorities pursue targeted enforcement under traditional antitrust law focused on particular contractual or pricing abuses, rather than ex‑ante obligations.
• Structural remedies or divestitures (least likely in the near term): Only if the Commission finds systematic, repeated non‑compliance would it consider structural remedies; this remains a remote but powerful threat given DMA enforcement language.

---

Technical feasibilities and risks​

Applying DMA obligations to cloud raises thorny technical trade‑offs:

• Interoperability vs performance: Mandated APIs or portability layers can add latency and complexity. For high‑throughput AI workloads, even small performance penalties translate to large cost and time impacts.
• Security surface area: Requiring deeper access to control planes for portability or inspection raises questions about multi‑tenant isolation, key management and liability.
• Standardisation timeline: Creating usable, cross‑provider standards for complex services (databases, managed AI stacks, hardware accelerators) will take years and broad coordination across providers and standards bodies.
• Fragmentation risk: Divergent national or regional requirements could fragment markets, forcing providers to maintain multiple compliance stacks and raising costs for customers.

Those risks are frequently cited by industry and technical experts — and they are real. Policymakers must balance them against the clear harms of concentration and lock‑in. The art of regulation here will be precise, technical, and iterative.

---

Practical guidance for enterprise IT leaders (actionable checklist)​

Enterprises should treat this regulatory shift as a prompt to harden procurement and architecture now.

• Assess exit readiness. Inventory dependencies on provider‑specific managed services and estimate realistic migration costs (including egress, re‑engineering, and performance testing).
• Negotiate stronger contractual exit terms. Ask for clear egress pricing, data export guarantees, and technical migration support.
• Design for portability. Favor containerised workloads, open runtime APIs, and terraform‑style IaC templates that facilitate lift‑and‑shift.
• Encrypt and retain key control. Use customer‑managed keys and strict key‑rotation practices to ensure data remains portable and under enterprise control.
• Operationally test failover. Conduct real‑world migration and failover drills — not just tabletop exercises — to validate assumptions under load.
• Engage with vendors and regulators. Submit evidence during consultations and work with standards groups to shape practical portability solutions.

These steps lower migration risk and place negotiating power back in customers’ hands while regulators and providers grapple with long‑term policy change.

---

Strategic risks and winners​

• Winners if regulators act carefully: European cloud providers and open‑source ecosystems that enable portability; enterprises willing to invest in portability; customers who negotiate better terms.
• Risks if regulation is miscalibrated: Slower investment in European data centres, higher costs for customers, operational fragmentation that harms cross‑border services, and legal battles that delay clarity.

Regulatory enforcement that is too prescriptive could inadvertently make it harder for European organisations to secure high‑performance, resilient cloud infrastructure — a paradox policymakers aim to avoid.

---

What to watch next (timeline and milestones)​

• Formal Commission notices, statements, and requests for information — these will clarify the Commission’s legal theory of harm and the factual record it is building.
• Stakeholder consultations and DMA compliance workshops — where technical detail is debated and standards proposals surface.
• Parallel national actions (UK CMA, national competition authorities) — coordinated findings could amplify Brussels’ options or produce divergent remedies.
• Evidence submissions from cloud customers and competitors — the strongest empirical cases will shape remedial options.
• Any interim measures or emergency orders if operations are judged to pose immediate systemic risks.

Expect this docket to be intensely technical, legally contested and politically charged; the next 12 months will not be quiet.

---

Verification note and cautionary flags​

The core facts of the Commission’s market investigations into AWS and Microsoft Azure and the opening of a third DMA‑fitness probe are supported by independent reporting and the Commission’s investigatory framework; these are load‑bearing claims verified against major press coverage and Commission guidance. Some early media accounts relied on briefings attributed to unnamed sources; where reporting depends on single anonymous briefings, treat those particular attributions with caution until formal Commission filings appear. The Commission’s public notices and non‑confidential documents will be the authoritative record for the legal scope, timeline and remedial options.

---

Final assessment — balancing benefits and risks​

The European Commission’s probes into hyperscale cloud services represent one of the most important regulatory inflection points since the DMA itself. If well‑calibrated, the outcome could reduce vendor lock‑in, improve portability, and spur innovation by making cloud markets more contestable. That would be a material benefit for European public buyers, start‑ups and SMEs that face prohibitive switching costs today.
But there are real dangers: clumsy or overly prescriptive rules could fragment critical infrastructure, deter investment in high‑performance data centres and accelerators, and introduce security or performance regressions that harm users. The policy challenge is technical as much as legal: regulators must pursue evidence‑based, narrow remedies that tackle demonstrable harms while preserving the scale advantages that deliver security, resilience and global reach.
For enterprises and IT leaders, the prudent path is clear: prepare for change by strengthening portability, renegotiating contracts, and operationally validating alternative paths. For policymakers, the test will be whether they can design precise, enforceable measures that enhance contestability without producing unintended systemic costs.
The probes are a live, high‑stakes laboratory for how democratic states can govern digital infrastructure in an era of AI and hyperconsolidation. The decisions that follow will ripple through procurement desks, data centres and development roadmaps for a decade.

---

Source: Cryptopolitan Big Tech cloud service providers land in EU regulation crosshairs - Cryptopolitan