EU Probes AWS and Azure Under DMA as Cloud Gateways

Brussels has opened formal market investigations into Amazon Web Services and Microsoft Azure to determine whether their cloud platforms act as critical “access gateways” and should face tougher obligations under the European Union’s Digital Markets Act — a move that could reshape how hyperscalers operate in Europe and force customers and competitors to rethink pricing, contracts, and technical portability.

Background​

The European Commission’s Digital Markets Act (DMA) established a new regulatory regime targeted at large digital players that act as “gatekeepers” between businesses and consumers. While the DMA’s initial quantitative thresholds singled out specific services and companies in 2023, the law also empowers the Commission to launch qualitative market investigations when a service behaves like a gatekeeper in practice. Those market investigations can result in services being brought within the DMA’s scope even when the numerical thresholds are not met. The Commission has used that tool before and its recent activity shows Brussels is willing to apply the DMA dynamically across sectors that have become strategic — including cloud infrastructure. In its decision to examine cloud infrastructure, the Commission is responding to mounting regulatory scrutiny of the cloud market across Europe and the United Kingdom. Regulators and industry groups have raised concerns about entrenched market power, switching costs, opaque pricing (notably egress charges), and licensing terms that may favour the hyperscalers’ own cloud offerings. Those commercial practices are said to create lock-in effects that make migration or multi-cloud strategies costly and complex for customers. Regulators have signalled that these issues are not only competition problems but also strategic vulnerabilities for critical digital infrastructure and the EU’s digital sovereignty.

---

What the investigations cover and the legal mechanics​

What Brussels has opened​

The Commission has launched market investigations specifically to assess whether AWS and Microsoft’s cloud services function as critical gateways between businesses and the end users they serve — in other words, whether their behavior and position in the market justify bringing cloud infrastructure explicitly within the DMA’s remit. The investigations will probe commercial practices (pricing structures, discounts, egress fees), technical constraints (portability, custom hardware dependencies, APIs), and the degree to which customers and independent cloud providers are effectively locked into a single vendor.

Why the DMA matters for cloud providers​

The DMA imposes prescriptive "do’s and don’ts" on designated gatekeepers that go beyond traditional competition remedies. If a service is designated as a gatekeeper under DMA principles, it faces obligations such as prohibitions on self-preferencing, obligations to ensure interoperability where feasible, and constraints around combining personal data across services. Non-compliance carries heavy sanctions: fines can reach up to 10% of global turnover for single infringements and up to 20% for repeated violations, with additional periodic penalty payments possible. The Commission also has the ability, following a market investigation, to require remedies that can be behavioural or structural in nature.

Timelines and processes​

Past DMA market investigations have ranged in length depending on scope. For services below the DMA’s quantitative thresholds, qualitative market investigations can take up to 12 months, after which the Commission may designate a service and give the company a period (commonly six months) to make the service compliant with DMA obligations. The process is deliberately dynamic: the Commission has used it to designate services that do not meet raw thresholds but functionally act as gateways. Businesses should therefore expect a methodical, evidence-driven inquiry rather than a rapid enforcement splash — but the consequences, if designation follows, are material and time-sensitive.

---

Why cloud infrastructure is now a regulatory focal point​

Market concentration and strategic importance​

The cloud infrastructure market is highly concentrated among a small number of global hyperscalers. Independent analyses and regulator findings point to AWS and Microsoft holding dominant shares in core infrastructure-as-a-service (IaaS) segments in many key markets, with Google cloud trailing in third place. The U.K. Competition and Markets Authority (CMA) has recently described AWS and Microsoft as holding "significant unilateral market power" and recommended further scrutiny of the pair under Britain’s new digital markets rules — an indicator that national regulators are aligned with EU-level concerns about cloud market dynamics. Beyond market shares, cloud platforms underpin the delivery of modern software, data, and increasingly critical AI workloads. Outages, interoperability bottlenecks, or commercial friction in cloud contracts can cascade through supply chains and public services, which has elevated political attention to the sector’s competitive and resilience dynamics. The EU has also placed cloud policy alongside data and AI initiatives aimed at preserving digital sovereignty, and that political lens amplifies the urgency of regulatory action.

Core friction points regulators cite​

• Egress fees and data portability: High or opaque charges to move data out of a cloud environment increase migration costs and discourage switching.
• Licensing practices and software portability: Conditions that make running common software (e.g., proprietary OS or database products) more expensive on rival clouds can skew customer choices toward a hyperscaler’s own platform.
• Proprietary services and custom silicon: Services that rely on vendor-specific hardware or heavily integrated managed services add technical switching costs beyond plain data movement.
• Self-preferencing and bundling: Tying attractive pricing or functionality to use of a provider’s own software stack can disadvantage competing cloud hosts and downstream software vendors.

---

What this could mean for Amazon, Microsoft and the wider cloud ecosystem​

For hyperscalers: compliance, strategy and cost​

If AWS or Azure are found to function as DMA-style gatekeepers for cloud infrastructure, Brussels could compel changes such as:

• Greater transparency in pricing and fees, including limits on or staged reductions to egress charges.
• Requirements to make critical APIs or interfaces available to third parties on non-discriminatory terms to reduce switching friction.
• Prohibitions on self-preferencing where a provider’s own software, marketplaces, or managed services are favoured in ways that exclude competitors.
• Mandates around licence parity or clearer BYOL (bring‑your‑own‑license) portability for commonly used enterprise software.

Complying with such rules would trigger immediate engineering and contractual workstreams inside the hyperscalers, plus ongoing operational costs to maintain regulatory compliance. Firms often respond by arguing that some obligations risk undermining proprietary security or raising costs for all customers — an argument regulators will weigh during the investigation.

For enterprise customers and MSPs​

Enterprises that depend on the cloud should expect both near-term and medium-term changes:

• Contract re-negotiations: Procurement teams must scrutinize egress, portability clauses, and termination terms. The regulatory scrutiny could create negotiating leverage but also temporary uncertainty in pricing.
• Multi-cloud contingency planning: Customers may accelerate investments in Kubernetes, containerization, and data portability tooling to reduce switching costs independent of regulatory outcomes.
• Cost volatility: Hyperscalers could respond to compliance costs by adjusting commercial models; some fees may shift, and compliance costs might be passed to customers in nuanced ways.
• New service offerings from regional/cloud-native providers: Regulatory changes could encourage the growth of local cloud providers and sovereign cloud offerings that compete on contractual clarity and tailored compliance.

For smaller cloud providers and software vendors​

Smaller European cloud providers and independent software vendors have long lobbied for clearer rules to prevent unfair licensing and pricing practices. The Commission’s probe, and related national enforcement activity, could produce remedies that level some competitive asymmetries — e.g., facilitating BYOL parity for Microsoft software on non-Azure stacks or curbing discriminatory discounts. However, remedies must be carefully scoped; overly prescriptive rules could create compliance complexity that disproportionately burdens smaller players.

---

Strengths of the Commission’s approach​

• Proactive, dynamic enforcement: The DMA’s market-investigation tool lets regulators react to gatekeeper behaviour even when strict numerical thresholds aren’t met, aligning enforcement with market realities rather than rigid metrics. That flexibility supports timely intervention in fast-evolving sectors like cloud.
• Focus on contestability and resilience: Targeting practices that raise switching costs directly addresses the root causes of lock-in and can promote healthier competition and diversity of infrastructure providers.
• Holistic policy alignment: The cloud probe dovetails with other EU initiatives — notably the Data Act and emerging AI governance — creating a more coherent policy framework for data portability, interoperability, and digital sovereignty.

---

Risks and potential downsides​

• Overreach and innovation chilling: Heavy-handed obligations could reduce incentives for hyperscalers to invest in novel infrastructure, custom silicon, or specialized managed services that deliver performance or cost advantages. Poorly calibrated rules risk slowing innovation that benefits customers.
• Fragmentation and complexity: Divergent compliance regimes across jurisdictions (EU DMA, UK DMCCA equivalents, and other national rules) could force global providers to fragment offerings and contractual terms — increasing costs for international customers.
• Security and reliability trade-offs: Mandating broad access to proprietary interfaces or hardware-level capabilities raises legitimate security concerns. Translating interoperability into safe, standardised interfaces is technically complex and could create attack surfaces if rushed.
• Cost pass-through: Compliance and enforcement costs may be passed along to customers. For example, detailed reporting requirements and auditability obligations impose engineering and operational costs that hyperscalers may factor into pricing.

Where possible these risks can be managed by tailoring remedies, creating phased implementation windows, and working with industry to define secure, standardised APIs and portability specifications — but intentional design and stakeholder consultation are critical.

---

Timeline realities and what to watch next​

• The market investigations will collect evidence, hear from ecosystem stakeholders (competitors, customers, industry bodies), and test technical claims about portability, APIs, and the nature of vendor lock-in. This phase can extend many months.
• If Brussels concludes a gatekeeper designation is warranted, a formal designation and targeted DMA obligations could follow; once designated, firms usually have a time-limited window to implement remedies.
• Parallel national actions (for example the U.K.’s CMA inquiries and any domestic enforcement) can create overlapping obligations that firms must manage simultaneously. Enterprises should monitor both EU and national regulator announcements closely.
• Litigation and political pushback are likely. Hyperscalers have deep legal resources and will challenge designations or specific obligations as needed, meaning that final remedies may emerge after litigation or negotiation.

---

Practical steps for IT teams, procurement and decision-makers​

• Inventory and categorize critical workloads: know which workloads are single‑cloud, which are portable (containers, VMs), and which depend on proprietary managed services.
• Audit contract clauses: identify egress charges, data locality commitments, termination rights, and any software-licensing constraints that may affect portability.
• Prioritise data egress strategy: assess the cost and time to export data and rebuild workloads elsewhere; build tested export procedures.
• Strengthen portability-layer tooling: codify infrastructure-as-code, containerisation, service mesh, and cloud-agnostic abstractions to reduce vendor coupling.
• Re-evaluate BYOL exposure: confirm licensing parity, support entitlements, and run scenarios for running critical software on rival clouds.
• Model financial impacts: plan for potential shifts in billing practices and for compliance-related pass-through charges over 12–24 months.
• Engage vendors: request commitments on portability, transparency in egress pricing, and concrete migration-assistance terms in forthcoming multi-year procurement negotiations.

These steps are pragmatic and help organisations reduce dependency risk regardless of the ultimate regulatory outcome.

---

Technical considerations: portability, APIs, and managed services​

Portability is not a binary state. Simple storage or VM migration is often straightforward, but real-world enterprise workloads increasingly depend on managed, value-added services: specialized databases, AI accelerators, distributed caching, and analytics pipelines that are deeply integrated into a provider’s ecosystem. Moving these workloads requires careful re-architecture or vendor-supported migration tooling.
Kubernetes, container standards, and open-source middleware do reduce vendor lock-in, but they don’t eliminate it: managed database migrations, different instance-types, custom machine-learning accelerators and performance tuning all introduce practical switching costs. Any DMA remedies that require interoperability must therefore be precise about the interfaces and data semantics to be opened, and they should be implemented in a way that preserves security and performance expectations.

---

Geo-political and industrial policy angles​

EU policymakers view cloud infrastructure not merely as a commercial market but as strategic infrastructure that touches national security, public service continuity, and sovereignty. That drives interest in “sovereign cloud” options and in bolstering a European cloud ecosystem that can host sensitive workloads with stricter jurisdictional guarantees. Hyperscalers have already responded with regional or sovereignty-tailored products, but regulators want systemic contestability, not just isolated product lines. This also has diplomatic and commercial implications: forcing rules that significantly diverge from the U.S. regulatory environment could generate transatlantic tensions, trade negotiations, or reciprocal policy pushes in other jurisdictions. Firms operating globally will thus weigh regulatory compliance alongside broader market and political strategy.

---

What remains uncertain and flagged risks​

• The Commission’s investigations are fact-finding exercises, not predetermined judgments. It is possible the inquiry will conclude DMA obligations are not warranted for cloud services, or that alternative policy instruments (e.g., the Data Act) suffice to address the Commission’s concerns.
• Exact remedies, if any, are unknown. The Commission may favour narrowly tailored operational changes (greater transparency, technical portability standards) rather than structural remedies.
• Potential unintended consequences — higher compliance costs, slower product innovation, or geopolitical fragmentation — are plausible but not inevitable; much will depend on the scope and design of any imposed obligations.

These are not speculative details but core uncertainties that should shape how firms plan for both rapid and measured scenarios.

---

Bottom line: a pivot point for cloud competition and corporate procurement​

Brussels’ market investigations into AWS and Microsoft Azure mark a meaningful escalation in the regulatory focus on cloud infrastructure. The move signals that digital competition law is evolving from consumer-facing platform regulation into the backbone of enterprise IT policy. For enterprises, the near-term challenge is pragmatic: review exposure, plan migration paths, and renegotiate commercial terms where possible. For hyperscalers, the imperative is operational — be ready for binding transparency, portability, and non-discrimination obligations that could reshape product roadmaps and pricing structures.
Regulatory intervention could open competitive space for regional cloud providers and stimulate new interoperability standards that benefit customers long-term. Yet the path to those outcomes carries technical, legal, and economic complexity. The next 12 months of market investigation and stakeholder engagement will therefore be decisive: they will determine whether Europe’s cloud future is shaped by prescriptive access rules, market-driven portability, or a blend of both — and every CIO, procurement lead, and cloud architect should be paying attention.

---

Source: The Economic Times https://m.economictimes.com/tech/te...ougher-eu-rules/amp_articleshow/125409479.cms