EU Probes AWS and Azure Under DMA as Cloud Gatekeeper Investigations

The European Commission has opened a trio of market investigations into Amazon Web Services (AWS) and Microsoft Azure under the Digital Markets Act (DMA), testing whether hyperscale cloud platforms should be treated as regulated “gatekeepers” and whether the DMA’s toolbox is fit to police competition in cloud infrastructure — a move that could reshape procurement, interoperability and the economics of cloud computing across Europe.

Background / Overview​

Cloud computing is no longer a background utility. Over the last decade it has become the strategic backbone for enterprise IT, national public services, and the compute fabric that powers generative AI. That centrality is precisely why Brussels has chosen to put AWS and Azure under the DMA microscope: the Commission wants to know whether a small number of hyperscalers now act as indispensable intermediaries whose behaviour can foreclose competition, raise switching costs, and create systemic resilience risks.
The inquiries comprise three distinct strands: two focused market investigations — one each into AWS and Microsoft Azure — to determine whether those cloud services functionally and economically qualify as “gatekeeper” core platform services; and a third, horizontal probe that will test whether the DMA’s existing obligations and metrics can sensibly be mapped onto enterprise cloud markets. The Commission has signalled an ambition to complete the fact‑finding within roughly 12 months, a timetable that reflects both urgency and the technical complexity of the task. Why now? Three converging forces pushed cloud to the top of the policy agenda:

• Market concentration: independent analysts show that AWS, Microsoft and Google together account for roughly 70% of European cloud spend, leaving European incumbents with a small local share.
• Switching friction: contractual terms, proprietary APIs, licensing differentials and egress costs that can materially increase the cost and complexity of moving workloads off a provider.
• Resilience and AI: repeated high‑impact outages and the rapid growth of AI workloads have magnified the economic and public‑policy stakes of cloud concentration.

These factors make cloud governance a mix of competition policy, industrial strategy, and critical‑infrastructure resilience — a cocktail that is both politically potent and technically fraught.

---

What Brussels is actually investigating​

The three probes, in plain terms​

• Market investigation into AWS — does Amazon Web Services act as a gatekeeper for cloud services in Europe? Investigators will seek evidence about market power, switching costs and any conduct that disadvantages rivals or customers.
• Market investigation into Microsoft Azure — the same functional test applied to Azure: are Azure’s offerings operating as indispensable intermediaries between businesses and customers?
• Horizontal study of the DMA’s fitness — can a regulation designed for consumer‑facing platforms (app stores, search engines) be usefully adapted to an infrastructure domain where metrics like contract value, capacity and latency are more relevant than “monthly active users”?

Core technical and commercial lines of inquiry​

Investigators will probe concrete practices flagged by regulators and industry participants:

• Data portability and egress pricing: Are exit fees and technical obstacles structured in ways that materially deter migration?
• Self‑preferencing and bundling: Do first‑party managed services, marketplaces or consoles receive preferential treatment that disadvantages third‑party ISVs?
• Licensing and pricing structures: Do software licensing rules make it economically or operationally cheaper to run workloads on the incumbent’s cloud?
• Interoperability and control‑plane access: Are proprietary APIs and platform primitives gating practical multi‑cloud operations or fast failover?
• Operational concentration and systemic risk: How do outages and concentration affect resilience for critical sectors and public services?

The Commission will gather technical evidence, contractual documents and stakeholder testimony. The horizontal probe will explicitly address a critical legal question: even where a provider does not meet the DMA’s numerical thresholds, can the Commission still designate a service as a gatekeeper based on qualitative evidence? The answer matters because the DMA includes a discretionary, investigative route precisely for cases that fall outside neat quantitative boxes.

---

What “gatekeeper” designation would mean in practice​

Under the DMA, designated gatekeepers face immediate, mandatory obligations intended to prevent exclusionary behaviour and enhance interoperability. These include requirements for non‑discrimination, technical interoperability, data portability and prohibitions on self‑preferencing; enforcement carries heavy fines — up to 10% of global annual turnover for initial breaches, and higher for repeated infringements. The DMA also allows for behavioural or structural remedies where necessary. If AWS or Azure were designated as gatekeepers for certain cloud services, consequences could include:

• Mandatory interoperability for essential cloud primitives (identity, control‑plane interfaces, storage export formats).
• Restrictions on self‑preferencing, such as favouring first‑party managed AI services or marketplaces in ways that distort visibility or performance.
• Enhanced data‑portability obligations or transparent, non‑discriminatory egress pricing.
• Possible procurement and compliance implications for public‑sector buyers who would gain stronger negotiating leverage and enforceable portability protections.

Importantly, gatekeeper obligations are ex‑ante and prescriptive — they are designed to change business models pre‑emptively, rather than as after‑the‑fact antitrust remedies. That means the design and calibration of remedies are critical: over‑broad technical mandates could damage performance or deter investment; under‑specified obligations could leave oligopolistic dynamics intact.

---

Market picture: why the Commission cares​

Synergy Research Group’s regional analysis shows that Amazon, Microsoft and Google together now account for roughly 70% of the European cloud market — a concentration that gives hyperscalers outsized influence over price formation, technical standards and AI service delivery. That concentration influences policymaking in two ways:

• It increases the risk of durable incumbency where scale advantages, proprietary stacks and long procurement cycles raise structural barriers to entry.
• It elevates systemic resilience concerns: outages at major hyperscalers cascade widely, and AI’s demand for specialized accelerators and integrated managed services deepens vendor lock‑in.

From a public procurement perspective, the combination of high switching costs and concentration can erode sovereign control over critical data and services. For private buyers, it tilts bargaining power toward large providers and can raise total cost of ownership for multi‑cloud strategies.

---

Reactions from industry and politics​

Publicly available reporting shows AWS warned that tagging cloud providers as gatekeepers could stifle innovation and inflate costs for European firms, arguing that ex‑ante obligations designed for consumer platforms are a poor fit for infrastructure markets. Microsoft’s public comments have been more measured, indicating cooperation with the probe while urging nuance. Reuters’ coverage summarises these initial company responses. Political dynamics complicate the picture. The DMA is a flagship instrument of EU digital policy, but its enforcement of non‑EU incumbents often draws attention from transatlantic trade partners. Expect intense lobbying from hyperscalers, industry trade bodies, and national governments that are concerned both about competition and about preserving investment incentives for large data‑centre projects.

---

Legal and technical challenges: mapping DMA to cloud semantics​

The DMA was drafted around consumer‑facing core platform services and includes quantitative thresholds based on user counts and market capitalisation. Applying those metrics to infrastructure markets raises multiple mapping problems:

• How to define an “active user” for IaaS and PaaS? Is it the number of business contracts, the number of developer accounts, or the downstream reach of services hosted on the cloud?
• How to equate contract value and capacity quotas to the DMA’s user‑centric thresholds?
• What does “interoperability” mean for performance‑sensitive control‑plane primitives where latency, security and correctness are non‑negotiable?

Those are not trivial semantic queries — they determine whether obligations are technically feasible and proportionate. The Commission’s horizontal probe will have to define a set of implementable technical standards or risk producing rules that are legally unenforceable or operationally destructive.

---

Strategic trade‑offs: risks and benefits of intervention​

Potential benefits​

• Reduced vendor lock‑in: Enforceable portability and non‑discrimination could lower switching costs and spur competitive offerings from regional cloud providers.
• Greater contestability: A clearer regulatory floor might incentivize interoperability standards and enable specialized challengers to co‑exist.
• Stronger public‑sector resilience: Procurement gains and portability safeguards would help governments avoid overreliance on a single global supplier.

Potential risks​

• Investment distortion: Overly prescriptive rules could reduce hyperscalers’ incentives to invest in cutting‑edge AI accelerators and high‑performance data centres.
• Fragmentation: Heavy regional requirements that diverge across jurisdictions could create compliance complexity and technical fragmentation of cloud interfaces.
• Operational regressions: Mandating open interfaces for performance‑critical control planes could expose new attack surfaces or reduce service reliability if not carefully specified.

Policymakers face a difficult trade: how to protect competition and resilience without undermining the scale economics that drive cloud security and global reach. The Commission’s technical annexes and stakeholder consultations will be decisive in striking that balance.

---

What this means for Microsoft, Amazon and the rest of the market​

For the hyperscalers, a designation would be a fundamental change in the compliance landscape. Gatekeeper obligations would require operational and commercial shifts — changes to APIs, visibility rules in marketplaces, licensing terms and possibly to pricing structures for managed services and egress.
For challengers and regional cloud providers, a well‑calibrated intervention could improve access and level the field — but only if rules are technical, enforceable and avoid creating perverse incentives that benefit incumbents who can absorb compliance costs more easily.
For customers — enterprise IT teams and public buyers — the probes are already a signal to act:

• Map cloud dependencies and proprietary primitives.
• Negotiate clearer exit clauses, migration SLAs and egress price caps.
• Trial multi‑cloud disaster recovery and failover strategies for critical workloads.

---

Practical advice for IT and procurement leaders​

Immediate tactical steps will reduce exposure and preserve strategic optionality while regulators deliberate. The following are pragmatic, sequenced actions:

• Map vendor lock‑in exposure.
• Catalog workloads, managed services and data flows that rely on provider‑specific features.
• Estimate technical and contractual migration costs.
• Strengthen contractual exit terms.
• Negotiate clearer egress pricing, migration assistance, and defined SLAs for export times and data formats.
• Prioritise portability for strategic workloads.
• Use containerisation, standard storage formats and abstraction layers to decouple apps from provider‑specific primitives.
• Rehearse and test cross‑cloud failover.
• Implement staged DR exercises that include multi‑cloud failover for critical services; test recovery RTO/RPO under realistic loads.
• Engage procurement and legal early.
• Build clauses that provide audit rights, independent verification of portability, and specific remedies for non‑compliance.
• Track the regulatory process.
• Follow Commission notices and contribute to industry consultations where allowed; regulatory submissions can shape technical definitions and remedy design.

These are practical safeguards that preserve service continuity and cost predictability while the political and legal debate unfolds.

---

How the DMA’s enforcement mechanics could play out​

If the Commission concludes a service should be designated, the next steps follow the DMA’s procedural path:

• The Commission issues a preliminary assessment and may request commitments.
• If designation is confirmed, the provider is required to comply with gatekeeper obligations within a legally specified period, and the Commission monitors compliance with powers to impose fines and behavioural remedies.

The DMA also allows the Commission to act under a fact‑finding route even when quantitative thresholds are ambiguous — a critical power for cloud markets, where user metrics and contract values do not map neatly onto consumer platform measures. That discretionary authority is why the current market investigations matter: they test both the companies and the statute’s adaptability.

---

Verification and cross‑checks​

Key factual claims in this article have been cross‑referenced with independent sources and Commission material:

• The opening of three market investigations (two targeted at AWS and Azure, plus a horizontal probe) is reported by major news agencies and summarised in the Commission’s public enforcement narrative.
• The DMA’s obligations and penalty regime (including fines up to 10% of global turnover for first breaches) are codified in the DMA text and Commission communications.
• Market concentration figures (top three providers ≈70% of the European cloud market) are drawn from Synergy Research Group’s regional analysis and corroborated by industry reporting.

Where reporting relies on company statements or press leaks, that coverage has been flagged in the Commission’s own procedural notes and industry commentaries; such reports are treated as provisional until corroborated by formal Commission notices or non‑confidential decisions.

---

Critical analysis: strengths and weaknesses of the Commission’s approach​

Notable strengths​

• Proactive, system‑level thinking: Treating cloud as strategic infrastructure rather than a commodity is realistic given AI’s compute concentration and the role cloud plays in national services.
• Legal flexibility: Using the DMA’s investigatory route allows the Commission to consider qualitative evidence where strict numerical thresholds are a poor fit for enterprise markets.
• Market signal: Formal investigations create an impetus for hyperscalers to be more transparent about portability, egress pricing and reliance on proprietary primitives.

Potential weaknesses and risks​

• Technical mismatch risk: The DMA’s consumer‑centric obligations could be ill‑suited to performance‑sensitive infrastructure unless the Commission involves deep technical expertise and narrowly scoped remedies. Poorly designed interoperability mandates risk operational degradation.
• Investment disincentives: If compliance is too costly, hyperscalers could slow investment in specialized AI hardware or regional data‑centres, potentially harming Europe's ability to access top‑tier compute at scale.
• Regulatory fragmentation: If member states or other jurisdictions adopt divergent rules, the resulting compliance landscape could raise costs and complexity for cloud providers and their customers.

Success depends on technical specificity and proportionality: remedies must be targeted to demonstrable harms, verifiable in the field, and engineered to preserve security and performance while restoring contestability.

---

Likely scenarios and timetable​

• Short term (0–12 months): the Commission completes fact‑finding, solicits evidence, and may request behavioural commitments. Firms will lobby, submit technical evidence and run public‑affairs campaigns.
• Medium term (12–24 months): the Commission issues preliminary findings; if gatekeeper designation is made, the DMA’s mandatory obligations would be triggered and compliance timelines enforced.
• Long term (24+ months): technical standards and interoperability frameworks could emerge, shaped by implementation practice and follow‑on rulemaking or delegated acts.

Expect legal challenges and negotiated settlements along the way. The DMA’s enforcement history shows the Commission prefers negotiated remedies where possible, but it is prepared to impose fines and stronger measures when commitments fall short.

---

Bottom line: a watershed moment with trade‑offs​

Brussels’ decision to put AWS and Azure through the DMA’s investigative machinery is one of the most consequential regulatory moves in cloud governance this decade. The probes recognise that cloud is strategic and that concentration now has ramifications beyond traditional price competition — it touches on resilience, sovereignty and the architecture of AI markets.
The path ahead will require unusually close cooperation between legal experts, cloud engineers, procurement professionals and policymakers. Narrow, evidence‑driven remedies have the potential to lower lock‑in and bolster contestability without undercutting investment; poorly designed rules risk fracturing a global infrastructure that depends on scale and technical excellence.
For IT leaders and procurement teams, the immediate imperative is practical: map dependencies, harden exit options, test multi‑cloud failover, and engage the legal and procurement functions to secure clearer contractual rights. For regulators, the imperative is equally technical: define what interoperability means for cloud control‑planes and managed services, and craft remedies that can be enforced without breaking the cloud.
This regulatory chapter is just beginning. The Commission’s probes will produce dense technical evidence, heated industry submissions and likely litigation — and their outcome will help define Europe’s relationship with cloud computing and AI for years to come.

---

Source: Finimize https://finimize.com/content/europe-puts-microsoft-and-amazons-cloud-power-to-the-test/