EU Probes AWS and Azure Under DMA: Cloud Portability Rules

Background​

Why Brussels moved on cloud: the case the Commission is making​

• Market concentration and entrenched positions. National reviews and industry trackers show that a small group of hyperscalers captures much of public-cloud spend in many European markets, giving rise to scale advantages that are difficult for new entrants to overcome.
• Switching friction and anti‑competitive conduct. Regulators and rivals have repeatedly flagged contractual and technical friction points — notably egress fees, proprietary APIs, and licensing differentials (for example, how Microsoft licenses Windows Server or SQL Server on rival clouds) — that can lock customers in. These are core lines of inquiry for the Commission.
• Systemic resilience and the AI accelerant. High‑profile outages, plus the explosion of AI workloads that require specialized accelerators and tightly integrated stacks, have converted a competition problem into a national-security and industrial-policy issue: over-dependence on a few providers can amplify systemic risk and shape who can compete in AI.

What the investigations will examine (technical and legal lines of inquiry)​

Portability, egress fees and data access​

• Are data export processes practically usable for production workloads?
• Do egress fees or slow, partial export tooling make migration prohibitively expensive or operationally risky?
• Can customers access billing, telemetry and application data in formats that permit real migration?

Licensing and pricing practices​

• Do software licensing terms and discounts materially favor running the software on the provider’s own cloud?
• Are there differential obligations or charges that make rival clouds economically unattractive for certain workloads?

Self‑preferencing, bundling and managed services​

• Do hyperscalers give preferential placement, performance or pricing to their own managed services, marketplaces or developer tooling?
• Is bundling used in ways that make independent ISVs and alternative infrastructure providers less discoverable or viable?

Interoperability, APIs and control‑plane primitives​

• To what extent are important control‑plane features proprietary?
• Are there standard interface options that truly allow multi‑cloud orchestration with predictable performance for latency‑sensitive workloads?

Systemic risk, outages and resilience​

Legal mechanics: how the DMA’s designation process works for cloud​

What’s already on the record: prior regulatory findings and market data​

• The UK’s CMA reported strong market concentration, concluding that AWS and Microsoft each hold substantial shares of cloud spending in the UK and recommending further action under new UK rules. It highlighted switching costs and licensing differentials as material concerns.
• Industry data from market research firms show the top three global providers (AWS, Microsoft, Google) account for a large portion of European cloud spending; the precise percentages vary by segmentation and metric, but independent trackers consistently report a highly concentrated top tier.
• The Commission’s press release confirms the three market investigations and frames them as both competition and strategic policy work related to AI and resilience.

Potential outcomes and remedies: what could change​

• No designation, but sectoral remedies or commitments. The Commission could conclude the DMA is not the right vehicle for cloud and instead secure legally binding commitments (behavioural remedies) from providers to address specific practices (egress transparency, improved export tooling).
• Designation of specific cloud services as gatekeepers. The Commission could designate AWS, Azure or parts of their service stacks as gatekeeper core platform services under the DMA’s qualitative route. Designation would trigger:
• Non‑discrimination obligations for business users.
• Interoperability and portability duties where technically feasible.
• Bans on unfair tying and bundling for certain integrations.
• Enhanced transparency and audit requirements.

• Legislative or delegated‑act adaptation of the DMA. The horizontal probe could recommend targeted updates to the DMA (via delegated acts or guidance) to clarify how portability, active-user metrics and interoperability rules apply to enterprise infrastructure and AI stacks. That would create a longer-term change in the regulatory architecture for cloud.
• Monetary fines or structural remedies for breaches discovered during the investigation. If the Commission uncovers past infringements, fines and structural interventions remain legally available, though they are typically reserved for severe, repeated non‑compliance.

Strategic impacts — who stands to gain and who will be exposed​

For hyperscalers (AWS and Microsoft)​

• Short term: resource burden of massive compliance processes, disclosure, and possible contractual changes. Public statements from both companies warned that heavy‑handed remedies could raise costs and complicate service delivery.
• Medium term: potential curbs on bundling, preferential pricing, and proprietary control‑plane features. This would reduce some incumbent advantages but could also limit how hyperscalers innovate in tightly integrated managed services.
• Long term: if the DMA is successfully adapted to cloud, hyperscalers will face a recurring compliance regime across the EU that affects product design, pricing and go‑to‑market strategy.

For customers (enterprises, governments)​

• Benefits: stronger contractual portability, clearer data access rights, and potentially fairer pricing and non‑discrimination for business users. Gatekeeper obligations could materially reduce lock‑in for many workloads.
• Risks: increased complexity and potential cost increases as providers reprice offerings or pass compliance costs downstream; fragmentation where providers expose APIs to satisfy regulators but with differing semantics; and the chance that stricter rules slow rapid rollouts of managed, integrated services (including managed AI offerings).

For smaller cloud providers and challengers​

• Benefits: reduced anti‑competitive self‑preferencing and better interoperability could lower barriers to adoption and help alternative cloud or national providers compete.
• Risks: if the regulatory response is poorly designed, it could inadvertently raise customer switching costs or create compliance overheads that favour the largest vendors who can absorb them — a classic regulatory capture hazard.

Critical analysis: strengths, gaps and risks in the Commission’s approach​

Strengths — why the investigation is justified​

• The move addresses real structural issues: concentration, dependency, and lock‑in that national reviews have already documented. Treating cloud as a strategic infrastructure for competition and resilience is consistent with broader EU industrial and digital sovereignty goals.
• The DMA’s qualitative pathway is a legitimate legal instrument to reach services that function as gatekeepers but don’t fit consumer‑facing metrics; using it avoids a regulatory vacuum and demonstrates adaptability.
• The Commission is combining company probes with a horizontal study — a prudent design that separates firm-specific findings from systemic rule‑making. This reduces the risk of premature, one-size-fits-all remedies.

Gaps and open questions​

• Measurement and metrics. The DMA’s thresholds (45 million monthly active users, turnover thresholds) are poorly aligned with cloud metrics (contract value, capacity, active workloads). How the Commission maps those concepts to cloud will be decisive and remains an open methodological challenge.
• Technical feasibility of portability. For some workloads, particularly GPU‑accelerated AI training or specialized managed services, true portability may be technically infeasible without major redesign. The Commission must balance enforceable interoperability with realistic technical constraints.
• Investment and innovation trade‑offs. Overly prescriptive obligations could disincentivize the capital‑intensive investments that hyperscalers make in global datacenter footprints and specialized accelerators — the very investments that underpin cloud performance and availability. The Commission must calibrate remedies to avoid chilling investment while protecting competition.

Risks and unintended consequences​

• Regulatory fragmentation: If the EU requires provider‑specific interfaces or mandates particular portability formats, the ecosystem risks splintering into variations that increase vendor lock‑in in practice (different “standard” APIs for different regions). Coordination across jurisdictions will be crucial.
• Cost pass‑through: Compliance costs could be passed to customers, particularly SMEs, harming the very organizations the DMA aims to protect.
• Litigation and delay: Gatekeeper designation and complex technical remedies will prompt legal challenges that could delay outcomes (and leave markets in regulatory limbo). The Commission’s 12‑month target is ambitious; expect procedural contestation.

Practical guidance for IT leaders and procurement teams​

• Audit and document portability risk. Identify the workloads, data and services that would be hardest to migrate (specialized accelerators, proprietary managed databases) and cost‑model migration scenarios.
• Reinforce exit clauses and SLAs. Negotiate stronger contractual guarantees for export tooling, reasonable egress terms, transitional support and performance SLAs.
• Design for mobility. Where feasible, adopt containerization, standardized orchestration (Kubernetes), and abstraction layers to decouple applications from provider-specific primitives.
• Stress-test resilience. Simulate failovers and recovery plans that do not rely on a single cloud region or provider for mission‑critical services.
• Monitor procurement law and compliance obligations. Public-sector buyers should watch the probes closely; a designation could alter supplier selection, tender requirements and audit obligations.

Geopolitical context and the transatlantic dimension​

What to watch next: timeline and signals​

• Short term (weeks–months): the Commission will collect evidence, invite stakeholder submissions and request contractual and technical documentation from AWS and Microsoft. Expect a steady stream of position papers from cloud rivals, industry associations and national authorities.
• Medium term (up to 12 months): targeted market investigation decisions on whether to designate one or both services as gatekeepers; if designation occurs, a compressed compliance window will follow.
• Longer term (12–18+ months): the horizontal study could recommend delegated‑act changes to the DMA or sector‑specific guidance clarifying how portability, interoperability and gatekeeper obligations apply to cloud and AI infrastructure.

Conclusion​