Navigation section

EU Probes AWS and Azure Under DMA to Test Cloud Gatekeeper Rules

  • Thread Author
A digital visualization related to the article topic.
The European Commission has opened a trio of market investigations into the cloud businesses run by Amazon Web Services (AWS) and Microsoft Azure — a move that explicitly tests whether hyperscale cloud platforms should be treated as “gatekeepers” under the Digital Markets Act (DMA) and whether the DMA’s toolbox can meaningfully be applied to infrastructure-level services that underpin Europe’s digital economy. This is not a routine antitrust probe: Brussels is asking hard questions about market concentration, switching costs, self‑preferencing, interoperability and data egress pricing — and it has given itself roughly 12 months to gather evidence and propose remedies.

Background​

Cloud computing today is foundational: governments, banks, telecoms, critical public services and virtually every major internet business run on infrastructure and managed services supplied by a very small number of firms. AWS and Azure are the two dominant public cloud providers globally, with Google Cloud in a distant third place in many markets. Independent market analyses and national regulators have repeatedly flagged the concentration that results from this structure — and the UK’s Competition and Markets Authority (CMA) and Ofcom have already sounded alarms about switching frictions such as egress fees and licensing practices that can cement vendor lock‑in. The DMA, adopted to tame gatekeeper power in a digital economy, sets ex‑ante obligations for platforms that meet quantitative and qualitative thresholds. The Commission has used the DMA before to designate major firms and impose mandatory transparency, interoperability and non‑discrimination duties; applying those principles to cloud infrastructure raises novel legal and technical challenges that Brussels has now committed to explore.

Why this probe happened: the proximate and structural drivers​

1. Concentration and high barriers to switching​

Hyperscalers control a substantial share of public cloud spend in many EU member states. The CMA’s work and industry trackers have repeatedly shown that AWS and Azure each command very large market slices in regions such as the UK and across EMEA, leaving smaller providers with limited ability to challenge incumbents. When a market is heavily concentrated, entrenched practices that raise the cost or complexity of migration become effective barriers to competition. Regulators view those frictions — whether contractual, pricing or technical — as classic signs of market power that warrant intervention.

2. Systemic outages and operational fragility​

High‑impact outages at major cloud providers over the last 12–24 months exposed how dependent many downstream services are on a handful of cloud primitives (DNS, identity fabrics, managed databases, global ingress/egress networks). When a control‑plane or edge misconfiguration cascades, the social and economic impact is immediate and broad. Those incidents heightened regulator urgency: concentration is not only a competition problem, it is a systemic‑risk and resilience problem.

3. The AI accelerant​

Generative AI and large‑scale machine learning are intensifying demand for specialised compute, networking and tightly integrated software stacks. Hyperscalers now offer managed AI stacks and custom accelerator access that are difficult to replicate elsewhere; customers build architectures and pipelines that are highly provider‑specific. That technical stickiness amplifies commercial lock‑in and raises the stakes for contestability in the age of AI. Policymakers increasingly see cloud concentration as a lever over next‑generation AI markets.

4. Political and sovereignty considerations​

European policymakers are explicitly framing cloud competition as part of a broader digital sovereignty agenda. Concerns about data residency, resilience of critical infrastructures and dependence on non‑EU providers feed a political will to reduce strategic exposure and expand in‑region alternatives. These geopolitical currents make regulators likelier to adopt aggressive interventions if they can be grounded in solid evidence of harm.

Legal framework: the DMA and market investigations​

What the DMA does — and what it does not​

The Digital Markets Act was designed around “core platform services” such as app stores, search engines and social networks; it imposes ex‑ante duties on firms designated as gatekeepers (firms with systemic market impact meeting defined thresholds). Designated gatekeepers are subject to obligations like non‑discrimination, data portability, and requirements to make certain features interoperable. In principle, if a cloud service or specific cloud offering is designated a core platform service, the provider faces binding obligations and heavy penalties for non‑compliance.

Why cloud complicates the DMA’s mechanics​

Applying the DMA to cloud raises immediate methodological questions. The DMA’s quantitative thresholds (turnover, market cap, number of users) and measurement approaches were drafted for consumer‑facing platforms and do not map cleanly to enterprise providers, contract values, or infrastructure capacity. The Commission’s third, horizontal probe will therefore test whether the DMA is fit for purpose in this domain or whether bespoke or sector‑specific tools are necessary. That is a central legal question of this inquiry.

What investigators will look for — the practical points of friction​

Regulators have a well‑worn playbook for what constitutes exclusionary conduct in platform markets; translated to cloud, the Commission’s areas of interest will include:
  • Data portability and egress fees — Are charges or technical impediments making it prohibitively expensive to move large datasets out of a provider? Do those costs materially reduce customers’ ability or incentive to switch?
  • Self‑preferencing and bundling — Do first‑party managed services, marketplaces or integrated stacks receive preferential treatment (pricing, performance, feature parity) that disadvantages third‑party offerings?
  • Licensing and pricing practices — Are licensing terms (for Windows, SQL Server or other middleware) structured to make it cheaper to run workload X on Azure rather than a rival cloud?
  • Interoperability and proprietary control‑plane features — Are APIs, orchestration primitives or control interfaces intentionally closed or engineered to frustrate migration, multi‑cloud architectures or seamless failover?
  • Market structure and entry barriers — Are investment costs, economies of scale, or contractual terms making entry for serious competitors infeasible in practice?
Each of these areas is evidence‑driven: the Commission will look for contracts, invoices, technical logs, performance data, customer testimonies and internal documents that show whether provider behaviour materially affects contestability.

Possible remedies EU authorities could consider​

If investigators find actionable harm or that DMA obligations should apply, the Commission’s toolkit ranges from behavioural to structural measures. Practical options include:
  1. Mandated interoperability and open APIs
    • Require non‑discriminatory access to essential control‑plane functions and published technical interfaces that enable migration and orchestration across providers.
  2. Limits on self‑preferencing and bundling
    • Ban or circumscribe practices that give first‑party managed services unfair commercial or operational advantages.
  3. Caps, standardisation or auditability of egress fees
    • Require transparent, standardized pricing or cap excessive exit charges that materially prevent migration.
  4. Data portability obligations and migration tooling
    • Oblige providers to supply audit‑grade migration tools, escrowed keys, or harmonised export formats to reduce friction.
  5. Transparency and independent audits
    • Require regular, independent audits of performance, preferential treatment claims and contractual terms, with public reporting.
  6. Hybrid, DMA‑tailored measures or sectoral rules
    • If the DMA is found imperfect for cloud, the Commission could recommend tailored sectoral remedies while proposing legislative updates.
Any of these measures would be technically and commercially complex to implement; they carry trade‑offs between contestability and incentives for large capital investment.

What this means for customers, competitors and cloud strategy​

  • For enterprise customers: expect a stronger negotiating position over the next 12 months and an incentive to audit exit clauses, egress pricing, key management and architecture portability. Large public buyers — governments and telecoms — are likely to revise procurement rules to demand stronger portability and sovereignty guarantees.
  • For competitors and smaller cloud providers: the investigations could unblock headroom for differentiation if remedies reduce lock‑in. However, commercial viability still depends on scale, data‑centre footprint and specialised hardware access (especially for AI workloads).
  • For AWS and Microsoft: a gatekeeper designation or binding DMA‑style obligations would force operational and contractual changes, increased disclosure and potential fines for breaches. Both companies have publicly pushed back in prior regulatory debates, warning about the risk of stifling innovation and raising costs. The Commission’s conclusion will shape global cloud governance norms.

Risks, trade‑offs and unintended consequences​

While contestability and resilience are legitimate public‑interest goals, aggressive ex‑ante interventions in cloud markets carry meaningful risks:
  • Investment chill — Hyperscalers argue that ex‑ante constraints could reduce returns on capital and thereby limit new data‑centre and specialised‑accelerator investments needed for AI and resilience. That is a credible concern: building global cloud capacity is capital‑intensive and driven by scale economics.
  • Technical fragmentation — Heavy-handed mandates that impose incompatible interfaces or divergent regional rules risk fragmenting the global cloud ecosystem. Fragmentation would raise costs for multi‑national businesses and increase complexity for software vendors.
  • Enforcement complexity — Translating DMA obligations to the technical semantics of control planes, APIs and orchestration primitives is non‑trivial. Rules that look good on paper may be hard to enforce in the field without detailed technical specifications and ongoing oversight.
  • Regulatory arbitrage and political pushback — The probe occurs against a charged geopolitical backdrop; the U.S. government and industry lobbyists see DMA‑style measures as potentially protectionist. Political pressure could influence the Commission’s course or provoke tensions in transatlantic trade relations.
These trade‑offs mean that any remedy must be narrowly tailored, technically feasible and calibrated to preserve incentives for innovation while protecting contestability.

Verifiable facts, cross‑checks and caution where reporting relies on anonymous sources​

  • Verified: The European Commission has opened market investigations into AWS and Azure and a third inquiry into DMA fitness for cloud markets; the Commission set an approximate 12‑month timeframe for these market reviews. This is confirmed in multiple reporting outlets.
  • Verified: The DMA provides ex‑ante obligations for designated gatekeepers and imposes significant fines for non‑compliance; the list of designated gatekeepers and the obligations are public. The DMA’s mechanics and thresholds are accessible in the Commission’s public materials.
  • Corroborated: UK regulators (CMA and Ofcom) have previously identified substantial market concentration and switching frictions in cloud, and recommended further action in the UK context; those findings influenced the EU’s agenda and provide prior empirical evidence for concentration concerns.
  • Caution: Early press accounts that attribute the Commission’s internal reasoning to single anonymous briefing(s) should be treated with care. Some outlets have relied on inside sources for the Commission’s thinking; formal Commission notices and public documentation remain the authoritative record. Where reporting uses anonymous sources, that dependency will be flagged in this piece.

Practical steps for IT leaders and procurement teams now​

  1. Map dependencies: catalogue workloads, managed services, and control‑plane primitives your business depends on and assess technical coupling to provider‑specific APIs.
  2. Audit exit costs and contractual terms: quantify egress fees, data export times and hidden migration costs for critical workloads.
  3. Design for portability: where feasible, adopt container orchestration, open formats and multi‑cloud-compatible data architectures to reduce single‑provider risk.
  4. Negotiate portability clauses: seek contractual commitments for migration tooling, testable egress SLAs and independent audit rights.
  5. Plan for resilience: implement multi‑region or multi‑cloud failover strategies for critical services where operationally and economically sensible.
These steps are sound risk management even if regulators decide against sweeping DMA remedies — they reduce vendor dependence and insulate operations from single‑provider failures.

How regulators should think about remedies (a checklist)​

  • Targeted and evidence‑based: only adopt remedies where the record shows clear, durable harm to competition or security.
  • Technically precise: legislate or insist on standards that map to control‑plane semantics and real-world migration processes.
  • Investment‑aware: calibrate obligations so they do not remove the commercial returns necessary for hyperscale investment in data centres and AI accelerators.
  • Internationally harmonised: work with other jurisdictions to avoid fragmentation and ensure global interoperability.
  • Time‑boxed and reviewable: adopt pilot or phased remedies with sunset clauses and periodic reassessment.
This pragmatic approach balances contestability with continued capital formation for critical cloud infrastructure.

Conclusion​

The European Commission’s decision to open market investigations into AWS and Azure marks a defining moment for how governments will regulate infrastructure that sits at the heart of modern digital life. The probes ask whether the DMA’s gatekeeper framework — designed for consumer platforms — can be adapted to the technical and contractual realities of cloud, and whether targeted remedies can reduce lock‑in without hampering investment and innovation.
For cloud customers, the immediate imperative is practical: map dependencies, pressure vendors for stronger portability guarantees, and design for resilience. For regulators, the challenge is technical and institutional: craft remedies that are precise, enforceable, and attuned to the unique economics of cloud. For the hyperscalers, the inquiry will likely mean more scrutiny, more disclosure and potentially new constraints on how they bundle services and price migrations.
This story will move fast and will be shaped by hard technical evidence, commercial documents and high‑stakes political negotiation. The next 12 months will determine whether Europe imposes a new set of ex‑ante rules on the backbone of the AI era — with consequences that reach well beyond the continent.
Source: Bloomberg.com https://www.bloomberg.com/news/arti...crosoft-azure-face-eu-probe-into-cloud-power/
 

Click to expand...
The European Commission has formally opened three market investigations into Amazon Web Services (AWS) and Microsoft Azure under the Digital Markets Act (DMA), testing whether the two hyperscale cloud providers function as “gatekeepers” in the cloud sector and whether the DMA’s toolbox is fit to address cloud-specific competition and resilience concerns.

DMA shield protects AWS and Azure cloud services.Background / Overview​

Cloud computing is no longer a commodity beneath the notice of policymakers — it has become the underpinning of national services, finance, logistics and the AI stacks that drive modern software. The European Commission’s step to investigate AWS and Azure is both procedural and strategic: two company‑specific market investigations (one for AWS, one for Azure) plus a horizontal review to determine whether the DMA should be adapted for infrastructure markets. The Commission said it will assess whether these cloud platforms “occupy very strong positions” and whether they “act as important gateways between businesses and consumers” — the qualitative gatekeeper test embedded in the DMA that can be used even when the usual numeric thresholds are awkward to apply to infrastructure services. Investigators aim to complete the inquiries within roughly 12 months. Why this matters: a gatekeeper designation under the DMA carries statutory obligations — non‑discrimination, data portability, interoperability, and explicit bans on self‑preferencing — backed by fines measurable as a share of global turnover and, potentially, by behavioural or structural remedies. Applying those obligations to cloud infrastructure would be legally novel and technically complex.

What the Commission is investigating​

The three inquiry strands​

  • Two company‑specific market investigations: test whether AWS and Azure, for particular cloud services, act as DMA-style gatekeepers.
  • One horizontal (sectoral) probe: evaluate whether the DMA’s current obligations and enforcement model are appropriate for enterprise cloud markets or whether tailored measures are needed.

Core lines of inquiry​

Investigators will gather technical evidence, contractual documents and stakeholder testimony on a set of concrete practices widely flagged by regulators and market participants:
  • Market concentration and entry barriers — the scale and footprint of hyperscalers in Europe, and how that affects contestability.
  • Switching friction and portability — egress fees, migration tool reliability, data export performance and practical barriers that raise the cost of moving workloads.
  • Licensing and pricing — whether software licensing practices (for example, how certain server or database licences are priced) advantage a provider’s own cloud or raise the cost of running those workloads elsewhere.
  • Self‑preferencing and bundling — preferential placement, performance or pricing for first‑party managed services that disadvantage third‑party ISVs.
  • Interoperability and control‑plane access — whether proprietary APIs, platform primitives or control‑plane semantics make multi‑cloud operations impractical for latency‑sensitive or complex workloads.
  • Systemic resilience — how outages and operational failures at a small set of providers can cascade across sectors, affecting public services and commerce.
These are evidence‑heavy, technical issues. The Commission’s horizontal probe will explicitly test if the DMA — originally drafted around consumer‑facing metrics like monthly active users — needs recalibration to measure infrastructure power using contract value, capacity, enterprise accounts and performance constraints.

The immediate catalysts: outages, concentration, and AI​

Three converging dynamics pushed cloud infrastructure onto Brussels’ priority list:
  • High‑impact outages in October 2025: AWS and Azure suffered separate, widely visible incidents that disrupted services for hundreds of companies and public institutions. Industry reporting and provider post‑mortems linked those outages to a DNS/control‑plane issue at AWS’s US‑EAST‑1 region and to a configuration error in Azure Front Door, respectively. These incidents lasted many hours and affected major consumer apps, airline check‑ins and even parliamentary voting systems. The magnitude of those events has sharpened concerns about systemic risk when a few hyperscalers host critical workloads.
  • Market structure and switching costs: National regulator work, notably the UK Competition and Markets Authority (CMA), has documented that AWS and Microsoft together hold very large shares of cloud spend in markets like the UK — CMA provisional and final findings flagged shares in the range of 30–40% for each provider in relevant segments and highlighted lock‑in mechanics such as egress fees and licensing differentials. Those findings have helped crystallize Brussels’ case that cloud concentration has competition effects.
  • AI compute demand and specialized hardware: Generative AI workloads drive demand for specialized accelerators and tightly integrated stacks that are often bundled by cloud providers, increasing the value of incumbency and raising the practical costs of switching providers for cutting‑edge workloads. The Commission explicitly links AI‑era infrastructure dynamics to the need for policy attention.
These drivers make the question an intersection of competition policy, national resilience and industrial strategy — a political cocktail that has increased the regulatory appetite for action.

Verifying the facts and numbers​

  • The Commission’s public timetable to conclude the fact‑finding in roughly 12 months is confirmed in official briefings and press coverage; the separate horizontal DMA review could take somewhat longer as legal and technical issues are deliberated.
  • The DMA’s enforcement toolbox and the potential penalty framework (including fines of up to 10% of global annual turnover for certain breaches, and higher percentages for repeat infringements) are established parts of the regulation: these figures are widely cited in official DMA guidance and press reporting. Applying that regime to cloud services would be precedent‑setting.
  • The October 2025 AWS outage — widely reported across major outlets and confirmed by AWS technical posts — persisted for many hours (public reporting commonly cites ~15 hours of disruption in aggregate across the event and recovery window) and affected high‑profile customers and services. Multiple reputable outlets, including Bloomberg, The Verge and long‑form industry analyses, corroborate the duration and root‑cause description tied to DynamoDB DNS automation. Where individual downtime figures differ by outlet, treat the “~15 hours” number as the consensus estimate reported by mainstream outlets and industry trackers.
  • The Azure incident in late October 2025 is likewise well documented: Microsoft publicly attributed the outage to an inadvertent configuration change in Azure Front Door that propagated through routing/edge logic, and reporting shows significant but shorter‑duration impact across airlines, government services and Microsoft’s own portals. Multiple technical accounts put the outage duration at several hours.
Where reporting diverges on details (exact minutes of downtime, lists of every affected customer), readers should treat granular lists as illustrative rather than exhaustive; regulators will rely on the providers’ internal incident records and third‑party telemetry during the Commission’s evidence gathering. Unverifiable or anecdotal claims that appear in some outlets without corroborating provider logs or regulator filings are flagged here as provisional.

Reactions from the companies and stakeholders​

Both companies have said they will cooperate with regulators while defending their markets. Microsoft said it is ready to contribute to the Commission’s market inquiry; Amazon’s AWS stressed the cloud market “provides choice and innovation” and expressed confidence regulators would find competition and choice remain strong. These public lines of cooperation are typical at the outset of a DMA market investigation. Industry groups, smaller cloud providers and some enterprise customers welcomed the inquiry as an opportunity to address lock‑in practices and improve contestability. Conversely, large‑scale cloud customers and trade groups cautioned that ill‑fitting regulation could raise costs, add compliance complexity, or slow investment in infrastructure — a classic policy trade‑off between competition enforcement and investment incentives.

Critical analysis — strengths, limits and policy risks​

What the EU gets right​

  • Focus on systemic risk is appropriate. Cloud now underpins essential services (payments, transport, government services, health records), so regulators addressing resilience and concentration is a defensible public‑interest move. The October outages provided visceral examples of cascading failures.
  • DMA as a forward‑looking tool. Using the DMA’s qualitative investigatory route is a pragmatic legal pathway: the law envisages cases where traditional consumer metrics don’t map to enterprise infrastructure, and Brussels is right to test that route rather than wait for slow ex‑post litigation that may be too late to prevent lock‑in harms.
  • Evidence‑driven posture. The Commission’s plan to gather technical evidence, contractual terms and stakeholder testimony over a 12‑month inquiry is sensible — cloud markets are technically dense and need painstaking fact collection.

Where the approach risks overreach or misfire​

  • Legal and technical mismatch risk. The DMA was architected with consumer platforms in mind; mapping its obligations onto infrastructure (IaaS/PaaS) risks misaligned remedies. For example, forcing real‑time interoperability for low‑latency systems or mandating certain bandwidth/latency guarantees via regulation could inadvertently degrade performance or conflict with how distributed systems are engineered. The horizontal probe is meant to catch this, but it’s a hard design problem.
  • Investment and innovation trade‑offs. Hyperscalers justify scale as the source of reliability and innovation; heavy‑handed obligations without careful calibration could raise the cost of developing and operating hyperscale data centers, affecting pricing and the availability of advanced services (including specialized AI accelerators) for European customers. Policymakers must balance contestability with continued capital investment.
  • Implementation complexity. Remedies that touch control‑plane semantics, proprietary APIs or traffic routing create enormous engineering and testing burdens. A poorly specified interoperability requirement could lead to brittle workarounds that reduce rather than increase competition. The Commission needs technical advisory input from standards bodies, cloud engineers and CTO‑level stakeholders.
  • Unintended fragmentation. Overly prescriptive rules could produce divergent regional implementations, hurting European competitiveness and complicating global cloud operations. If the EU forces narrow interfaces that only apply inside the EEA, providers may need region‑specific code paths, increasing complexity and cost for customers with global footprints.

Political dynamics to watch​

The probe sits at the intersection of EU digital sovereignty ambitions and transatlantic trade/regulatory tensions. The United States and major customers will watch for any rules that could restrict market access or create de facto data localization. Regulators must navigate geopolitical sensitivities while delivering enforceable competition remedies.

Practical guidance for IT leaders and procurement teams​

The investigation is an inflection point — outcomes will take time, but prudent IT risk management is immediate. Practical steps for CIOs, CISOs and procurement leads:
  • Map cloud dependencies now. Identify which workloads, data flows and business processes depend on which providers and regions.
  • Review contracts and exit terms. Pay attention to egress fees, API change commitments, and SLAs tied to control‑plane behaviours. Seek explicit clauses for incident transparency and runbook access.
  • Strengthen portability. Adopt standardized formats (infrastructure as code, container images, Terraform, OCI images) and minimize provider‑specific primitives where feasible.
  • Implement multi‑region and multi‑cloud failover for critical paths. For public‑facing and authentication services, design for graceful degradation and out‑of‑band control channels.
  • Conduct tabletop incident exercises that simulate provider outages and control‑plane failures. Validate manual fallbacks for operational continuity.
  • Engage procurement and legal with a resilience checklist: data‑export velocity, egress cost modeling, portability tests, and audit rights during incidents.
  • Where feasible, negotiate vendor commitments for post‑incident transparency (detailed root‑cause analyses, timelines, and remediation plans).
  • Monitor regulatory developments closely and treat the next 12 months as a period of potential contract and architecture change.

What to expect next — process and timeline​

  • The Commission intends to complete its fact‑finding market investigations within about 12 months; the horizontal DMA fitness study may reach conclusions within 12–18 months. That means stakeholders should expect an intensive evidence‑gathering phase (document requests, technical briefings, vendor and customer submissions), followed by reasoned findings and potential designation or tailored remedies.
  • If the Commission finds a cloud offering performs a gatekeeping role, Brussels has discretion to apply specific DMA obligations to those services or to devise sector‑tailored remedies. These could range from mandated data portability standards and non‑discrimination duties to behavioural remedies targeting specific contractual or technical practices. The Commission can also impose fines for non‑compliance under the DMA regime.
  • The investigation will involve multiple stakeholders: EU member‑state regulators, national competition authorities (whose UK CMA work formed part of the evidentiary backdrop), cloud customers and rival providers. Expect many public consultations and an intense lobbying phase from industry.

Longer‑term scenarios and industry impact​

  • Targeted remedies and interoperability standards. The Commission could require specific data‑portability standards, transparent egress pricing, or protocol interoperability in particular service layers (e.g., identity, storage APIs). This would benefit customers seeking portability but will require careful technical design to avoid performance trade‑offs.
  • Behavioural constraints without designation. Brussels could secure commitments through behavioural remedies or settlements short of gatekeeper designation, achieving early remediation without setting an expansive legal precedent. This route reduces legal uncertainty but may deliver less structural change.
  • Full DMA application to cloud services. A gatekeeper designation for certain cloud offerings would be transformational: it could force policy‑level changes in how vendors present managed services, price licenses, and enable third‑party interoperability. This scenario presents the highest compliance burdens and the greatest potential to reshape market economics.
  • Regulatory re‑calibration or bespoke cloud regime. If the horizontal probe concludes the DMA needs adaptation for infrastructure, the EU could propose amendments, or a sectoral regulatory approach could emerge — a complex, longer process but one aimed at finely tuned technical remedies.
Each path has winners and losers: customers win if competition and portability improve; vendors face compliance and engineering costs; new entrants could find more room to innovate if switching costs fall.

Conclusion​

The EU’s decision to place AWS and Microsoft Azure under DMA‑driven market scrutiny is a defining moment for cloud governance. It recognizes cloud as strategic infrastructure and tests whether an ex‑ante regime designed for consumer platforms can be mapped to enterprise and AI‑era realities. The Commission’s evidence‑heavy, 12‑month inquiry is the right procedural start; the hard work now will be technical: designing remedies that reduce lock‑in and improve resilience without breaking the scalable engineering model that delivers the very benefits customers rely on.
For IT leaders, the immediate imperative is clear: map dependencies, harden portability, negotiate better incident transparency, and rehearse provider‑failure scenarios. For policymakers, the imperative is equally stark: craft technically precise, proportional rules that protect competition and public interest while preserving incentives for the capital intensity required to run modern cloud infrastructure.
The next 12 months will shape cloud contracting, procurement and architecture decisions for years. The industry must now demonstrate — through evidence, technical detail and constructive engagement — how best to protect both competition and the resilience of Europe’s digital backbone.
Source: CNBC TV18 Amazon's AWS and Microsoft's Azure face EU probe into cloud power - CNBC TV18
 

The European Commission has opened three formal market investigations under the Digital Markets Act (DMA) that put Amazon Web Services (AWS) and Microsoft Azure at the center of a regulatory push to test whether hyperscale cloud platforms should be treated as regulated “gatekeepers” — and whether the DMA’s toolbox is fit for policing foundational cloud infrastructure.

Professionals discuss cloud services (API, AWS, Azure) around the EU DMA symbol.Background / Overview​

Cloud computing today is no longer a commodity procurement decision; it is strategic infrastructure that underpins public services, critical finance systems, and the AI stacks increasingly central to economic competitiveness. The European Commission’s announcement on 18 November 2025 launched two company‑specific market investigations — one focused on AWS, the other on Microsoft Azure — plus a horizontal probe into whether the DMA can adequately address cloud‑specific competition and resilience issues. The DMA was originally drafted to police consumer‑facing platforms that act as gateways between businesses and end users. Its gatekeeper regime rests on a mix of quantitative thresholds and a qualitative investigative pathway that allows the Commission to act where services functionally block contestability even if they do not meet numeric triggers. This discretionary route is precisely the mechanism Brussels is now using to bring cloud infrastructure into the DMA orbit.

Why Brussels moved on cloud now​

Three practical and political drivers converged to make cloud a DMA priority:
  • Market concentration. Independent trackers and national reviews show the top three providers — AWS, Microsoft Azure and Google Cloud — control a very large share of public cloud spending in Europe, creating scale advantages and network effects.
  • Switching friction and lock‑in. Contractual terms, egress costs, proprietary APIs and licensing differentials are repeatedly cited as frictions that raise the cost and complexity of migration. National authorities, notably the UK Competition and Markets Authority (CMA), have documented these issues and concluded they materially reduce customer mobility.
  • Resilience and AI. High‑impact outages over the past year exposed systemic fragility, while rapid growth in AI workloads concentrates demand for specialized accelerators and integrated stacks — intensifying incumbent advantages. The Commission explicitly links cloud competition to resilience and Europe’s strategic capacity in AI.
These motives transform what might have been a standard competition inquiry into a cross‑cutting review that straddles competition policy, industrial strategy, and critical‑infrastructure governance.

What the Commission is investigating (three probes explained)​

1. AWS market investigation​

A targeted fact‑finding inquiry will probe whether AWS’s cloud services functionally act as a DMA‑style gatekeeper in the EU — that is, whether AWS is an “indispensable intermediary” between businesses and their customers in ways that create durable market power and raise switching costs. Investigators will seek contractual documents, commercial data, technical evidence, and stakeholder testimony.

2. Microsoft Azure market investigation​

A parallel probe will apply the same qualitative test to Microsoft’s cloud offering. Particular attention is likely to focus on Microsoft’s licensing and software‑stack integration (how licensing or product design affects portability and the economics of running Microsoft workloads on rival cloud platforms).

3. Horizontal DMA fitness probe​

This sectoral investigation examines whether the DMA’s obligations and thresholds — originally designed around consumer‑facing core platform services — are fit for purpose in the cloud domain, or whether delegated acts or targeted rule changes are needed to address cloud‑specific frictions such as egress fees, API lock‑ins, and access to specialized AI accelerators. The Commission will consider whether the DMA's toolkit should be adapted for infrastructure markets. The Commission has signaled an accelerated public timetable: around 12 months for the company‑level market investigations, and a somewhat longer horizon for the horizontal assessment. If the Commission designates a cloud service as a gatekeeper, the DMA enforcement schedule typically gives firms a narrow window to comply with obligations.

Gatekeeper criteria: thresholds and the qualitative pathway​

Under the DMA, a presumptive gatekeeper designation is triggered by specific quantitative thresholds such as EU turnover, market capitalization, and platform metrics (commonly cited figures include at least 45 million monthly active EU end users and substantial EU revenue), but the law also includes a qualitative investigative route that empowers the Commission to designate services that functionally act as gatekeepers even if they do not meet the neat numeric cut‑offs. This legal flexibility is central to the Commission’s decision to probe cloud services. The core DMA obligations for designated gatekeepers include:
  • No self‑preferencing: preventing preferential treatment of a firm’s own downstream services.
  • Interoperability and access: enabling forms of technical interoperability and fair access for third‑party business users.
  • Data portability: facilitating practical data export and migration.
  • Transparency and non‑discrimination: providing equitable conditions for business users.
Penalties for non‑compliance can reach up to 10% of global annual turnover for initial infringements and higher percentages for repeated breaches.

What Brussels will examine technically and commercially​

Regulators will not rely on abstract theory alone; the probes will dig into concrete technical and commercial practices that can entrench incumbency. Key lines of inquiry include:
  • Egress fees and data portability: Are exit charges and data export tooling structured to make migrations slow, lossy or prohibitively expensive? The Commission will test whether exports (VM images, databases, object storage) are complete, timely, and usable across environments.
  • Proprietary APIs and platform primitives: Do proprietary control‑plane features or runtime extensions effectively lock workloads to a single cloud? Regulators will inspect API compatibility and the feasibility of running production workloads in multi‑cloud configurations.
  • Licensing differentials and bundling: For example, whether running Microsoft server software is materially cheaper or operationally easier on Azure than on rival clouds (a complaint repeatedly raised in national reviews).
  • Self‑preferencing in marketplaces and managed services: Whether first‑party managed AI stacks, marketplaces, or billing integrations receive preferential placement, pricing or performance.
  • Access to specialized AI accelerators and capacity allocation: Who has priority access to scarce GPU/TPU capacity, and how allocation mechanisms potentially advantage incumbents.
These are evidence‑heavy questions. The Commission will collect contractual terms, operational logs, product roadmaps, and vendor/customer testimony to map practice to competitive effect.

Stakeholder reactions: what AWS and Microsoft say — and what rivals hope for​

Both hyperscalers have signaled cooperation while defending competitive dynamics. Microsoft has framed the sector as highly competitive and expressed willingness to engage with the inquiry; AWS has warned that categorical gatekeeper designations for cloud could harm innovation and raise costs for customers. These initial public statements stress market dynamism as a counterargument to the gatekeeper hypothesis. Smaller cloud providers and some European vendors cautiously welcomed the probes, arguing that enforced interoperability and portability could level the playing field, lower switching costs, and create market space for regional and specialist suppliers. Cloud customers — especially large public‑sector buyers and banks — see potential upside in stronger portability and resilience guarantees, though they also worry about transitional disruption and compliance overheads.

Potential outcomes and the mechanics of remedies​

The investigations can produce several distinct outcomes:
  • No gatekeeper designation, targeted remedies: The Commission may find insufficient basis to designate AWS or Azure as gatekeepers but still recommend or impose targeted remedies through competition enforcement or sectoral measures to address specific anti‑competitive practices.
  • Gatekeeper designation for one or both providers: If designated, AWS and/or Azure would be subject to binding DMA obligations including interoperability, non‑discrimination and data‑portability duties, with heavy fines for breaches and ongoing reporting requirements.
  • Regulatory evolution of the DMA for cloud: The horizontal probe could prompt delegated acts or legislative updates to add cloud‑specific obligations to the DMA (for example, minimum technical standards for portability or access to specialized AI hardware).
Procedurally, the Commission aims to conclude the company‑level probes within roughly 12 months; the horizontal study may take longer (12–18 months). Any designation would then carry compressed compliance timelines and open avenues for judicial appeal, creating a window of legal and commercial uncertainty for customers and partners.

Economic and strategic stakes for Europe​

Cloud infrastructure is a key input to productivity, digital transformation, and AI capability. The Commission’s intervention is explicitly tied to broader EU goals: fostering innovation, guaranteeing resilience for public services, and advancing digital sovereignty. Analysts project strong growth in European data center demand driven by hyperscaler capacity requirements; regulatory changes that materially alter cloud providers’ commercial economics could influence investment flows, regional datacenter expansion, and the viability of local competitors.
Policymakers must balance two competing risks:
  • Under‑regulation risk: Leaving structural frictions unaddressed could entrench a small set of providers, raise costs through lock‑in, and constrain the emergence of European alternatives.
  • Over‑regulation risk: Imposing heavy ex‑ante rules or intrusive operational mandates could deter investment in capacity, slow feature development, or fragment global cloud offerings — with knock‑on costs for customers.
The Commission’s challenge is to craft remedies that lower switching friction and limit discriminatory practices without imposing disproportionate operational burdens that reduce cloud supply expansion and competitiveness.

Legal and political crosscurrents​

The DMA’s qualitative pathway gives Brussels legal room, but designation will be novel and legally complex when applied to infrastructure services with enterprise contracting models. The probes follow and build on national work such as the UK CMA’s cloud market investigation, which flagged AWS and Microsoft for holding very large shares of cloud spend and found switching frictions in licensing and egress fees. That national precedent helped crystallize the Commission’s Europe‑wide approach. There are geopolitical dimensions too. European policymakers’ concern with digital sovereignty, the CLOUD Act and cross‑border legal exposure to foreign laws underpin a political interest in growing regional alternatives. At the same time, political pressure from U.S. counterparts and industry lobbying may shape the tone and scope of any eventual remedies; some media reports note tensions between Brussels and Washington in recent months. Such cross‑border friction is a feature, not a bug, of high‑stakes platform regulation.

Risks and caveats — what is not yet proven​

Several recurring claims in public commentary and social feeds are plausible but not yet proven in a regulatory sense. These include:
  • Estimates of precise market shares vary by data provider and segment; while consensus points to concentration among the top three providers, specific percentages (e.g., “70% of European cloud spend”) depend on methodology and time window. These figures should be treated as indicative rather than immutable.
  • Macroeconomic cost estimates attributed to cloud outages or concentration (sometimes framed in very large figures) are projections or extrapolations, not audited loss totals; they should be described with caution until rigorous accounting is available.
  • Political narratives tying the probes to external actors or executive pressure in other jurisdictions require independent corroboration and should not be conflated with the Commission's formal legal rationale.
These probes are evidence‑gathering exercises; final determinations about gatekeeper status or DMA updates will rest on detailed analysis of contracts, technical architecture, and market effects. Any strong causal claim not yet substantiated should be explicitly labeled as provisional.

Practical implications for IT leaders, procurement teams and vendors​

For organizations that rely on public cloud, the unfolding regulatory environment creates both risk and opportunity. Practical steps for IT and procurement teams include:
  • Strengthen exit and portability clauses in contracts:
  • Negotiate explicit, testable migration SLAs and deliverables (complete data export, validated images, transfer speed guarantees).
  • Demand transparent billing and egress accounting:
  • Require vendors to disclose egress policies and provide cost forecasts for multi‑region transfers.
  • Design for mobility and resilience:
  • Prioritize abstraction layers (containerization, Terraform/ARM IaC, standard interfaces) that reduce coupling to provider‑specific primitives.
  • Audit vendor lock‑in exposures:
  • Catalog proprietary services in use (managed DBs, specialized AI platforms) and create migration playbooks.
  • Track regulatory timelines and engage:
  • Participate in public consultations and supply factual evidence about operational realities to regulators.
These steps reduce operational risk in the near term and position customers to take advantage of any improvements to portability or interoperability that regulators may secure.

What to watch next (near‑term timeline)​

  • Evidence collection phase: The Commission will request documents from the cloud providers and third parties; expect rounds of information requests and stakeholder hearings.
  • 12‑month window for company probes: The Commission has targeted roughly a year to conclude the AWS and Azure market investigations, though complex technical matters could extend timelines.
  • Horizontal report and policy options: The broader DMA fitness probe may yield recommendations for delegated acts or legislative adjustments within 12–18 months.
  • Potential designation and compliance windows: If designations occur, DMA obligations and compliance dates will follow a compressed schedule and may be litigated in EU courts.
Monitoring the Commission’s public filings and the formal notice and comment processes will be essential for market participants to stay informed.

Final analysis: measured ambition or regulatory overreach?​

The Commission’s move is a consequential test of the DMA’s reach. On the one hand, the probes reflect a defensible policy concern: when a handful of providers control infrastructure that underpins critical services and next‑generation AI, unchecked market power can produce lock‑in, resilience vulnerability, and barriers to a competitive cloud ecosystem. The Commission’s qualitative pathway allows it to apply a tailored competition lens to infrastructure markets that do not neatly map onto consumer metrics.
On the other hand, heavy‑handed obligations that fail to account for the technical and commercial realities of cloud operations risk unintended consequences — slowing investment in capacity, complicating global engineering practices, or fragmenting interoperable standards. The practical challenge for regulators is to design remedies that materially reduce lock‑in and discrimination while preserving incentives for hyperscalers to continue investing in global compute, network, and accelerator capacity.
The most constructive path forward will marry targeted, evidence‑based remedies (improved portability tooling, transparent billing, guardrails on discriminatory marketplace mechanics) with a recognition that cloud ecosystems are global, technically complex, and dynamically competitive. If Brussels succeeds in that balancing act, Europe could secure stronger contestability and resilience without chilling the investments that power the digital economy.
The DMA probes into AWS and Azure are therefore more than a regulatory skirmish; they are a structural inquiry into how Europe governs the compute fabric of its economy — with outcomes that will shape procurement, cloud architecture, AI competition, and the future of digital sovereignty across the continent.
Source: WebProNews EU’s Cloud Siege: DMA Probes Target AWS and Azure Dominance
 

You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
EU Probes AWS and Azure Under DMA for Cloud Gatekeeper Rules
Replies
0
Views
22
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
EU Probes AWS and Azure Under DMA Gatekeeper Rules for Cloud Markets
Replies
0
Views
16
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
EU Probes AWS and Azure Cloud Under DMA to Test Gatekeeper Rules
Replies
0
Views
17
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
EU Probes AWS and Azure Under DMA Gatekeeper Rules
Replies
4
Views
43
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
EU Probes AWS and Azure Under DMA to Reshape Cloud Rules
Replies
0
Views
20
ChatGPT
ChatGPT
Back
Top