EU Weighs Including Cloud Infrastructure in DMA to Curb Gatekeeper Power

The European Commission’s decision to probe the market power of Amazon Web Services, Microsoft Azure and Google Cloud—and to weigh bringing cloud infrastructure within the scope of the Digital Markets Act—reflects a strategic shift: regulators now see cloud concentration as a systemic risk to competition, security and Europe’s digital sovereignty.

Background: the DMA, gatekeepers and where cloud sits today​

The Digital Markets Act (DMA) was designed to tame the market power of a defined set of digital "gatekeepers" by imposing ex ante rules on how they operate core platform services (CPS) such as search, app stores, social networks and online marketplaces. The Commission’s initial designations—Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft—established the legal framework and enforcement tools that have already produced fines and compliance demands. But the original DMA list and the catalogue of CPS did not explicitly treat public cloud infrastructure (IaaS/PaaS) as a CPS in the same way app stores or ad platforms are treated. That gap is why a renewed debate has emerged in Brussels: cloud is the platform on which modern AI services, public-sector workloads, critical business functions and entire national digital infrastructures depend. The Commission’s renewed attention to cloud reflects that dependency—and a judgment that concentration in cloud could create risks similar to those the DMA was created to address.

---

Why this is happening now​

1. Concentration, outages and systemic risk​

A handful of hyperscalers dominate the global market for public cloud infrastructure. Investigations and provisional findings from other jurisdictions—most notably the UK’s Competition and Markets Authority (CMA)—have concluded that AWS and Microsoft account for the lion’s share of cloud spending and have been generating sustained returns well above the cost of capital, evidence of persistent market power. Those findings have highlighted structural barriers to switching, egress costs and licensing practices that can lock customers in. Regulators view these features as familiar hallmarks of gatekeeper power. Multiple high-profile cloud outages in recent years amplified the urgency. When a major cloud outage takes down financial systems, government services, news sites and critical enterprise operations in one shock, it exposes the fragility of a market that routes vast parts of the economy through a few providers. Such events are an accelerant for regulators who are already uneasy about reliance on a small number of foreign providers. Bloomberg’s reporting that the Commission is preparing a market probe into AWS, Azure and Google Cloud cites this confluence of concentration and operational risk as a key driver.

2. AI’s voracious demand for compute​

Generative AI and large-scale machine learning have vastly increased demand for specialized cloud compute, storage and networking. The hyperscalers not only sell raw compute; they package managed AI stacks, proprietary accelerators, and tightly coupled services that are difficult to replicate. Because AI workloads are both resource-hungry and extremely latency/architecture-sensitive, customers often commit deeply to one provider’s stack—making multi-cloud and seamless portability more theoretical than practical. Policymakers fear that dominant cloud players could leverage AI-era lock-in to foreclose competition or set terms that bias the market.

3. Strategic concerns about digital sovereignty​

European policymakers have repeatedly signaled a desire to strengthen digital sovereignty: more European data centres, resilient supply chains, and greater independence from US or non-EU providers for critical workloads. The Commission’s broader Cloud and AI Development agenda aims to expand data centre capacity and give public administrations secure, sovereign alternatives. If cloud becomes a battleground for sovereignty, regulators are more likely to accept stronger interventions—up to and including bringing cloud under the DMA’s remit.

---

How the EU could bring cloud under the DMA​

There are several legal and policy routes Brussels could follow, each with different consequences and timelines:

• Designate cloud infrastructure as a Core Platform Service (CPS) under the DMA. That would subject specific cloud services to the DMA’s gatekeeper obligations—interoperability, non-discrimination, data-portability, and restrictions on self-preferencing—if a provider meets the gatekeeper thresholds.
• Designate individual cloud providers as gatekeepers for particular services if they meet the DMA’s quantitative thresholds (size, EU turnover, and number of users/businesses). Currently, Microsoft and Amazon are already designated for other CPS; extending designations to cloud services would be a legal and administrative extension rather than a brand-new regulatory instrument.
• Use a market investigation (under competition law or sectoral powers) to identify specific competition distortions and then apply remedies—either negotiated undertakings or direction for structural or conduct remedies—without formal DMA designation. Bloomberg’s report suggests the Commission is preparing such a market probe.
• Combine DMA-style obligations with parallel instruments (the Data Act, the AI Act, and a proposed Cloud & AI Development Act) to create a hybrid regulatory overlay that addresses portability, access to non-personal data, and security requirements. This is politically attractive but legally complex and risks overlap.

Each route differs in enforceability, speed and political cost. A formal DMA inclusion is the most powerful—bringing clear ex ante obligations and large fines for non-compliance—but it also risks the sharpest diplomatic pushback. A market probe or narrow remedies may be more politically tractable while still addressing urgent harms.

---

What the DMA-style rules would mean for cloud providers and customers​

If cloud infrastructure were to be treated like a CPS under the DMA, expect some concrete changes.

• Interoperability and non-discrimination: Providers could be required to offer standard interfaces, avoid preferential bundling of services, and ensure third-party software and tools operate on equal terms. This would reduce incentives for vendors to lock customers via proprietary features.
• Data portability and egress reforms: Rules could limit egress fees, mandate robust migration tools, and require clear contractual terms for data retrieval—reducing switching costs that today create lock-in.
• No self-preferencing: Hyperscalers might be barred from steering customers toward their own managed AI services or marketplace offers in ways that disadvantage rivals.
• Audits and transparency: Gatekeepers under the DMA must provide visibility into ranking, matching, and recommendation systems—translated to cloud, that could mean disclosure around resource allocation, network traffic shaping, and pricing algorithms.
• Enforcement teeth: Non-compliance with DMA obligations can lead to fines up to 10% of global turnover for first breaches and even 20% for repeat breaches, plus structural remedies in extreme cases. The Commission already used DMA fines against Apple and Meta, demonstrating willingness to act.

For customers, these measures could lower long-term costs, improve portability and expand choice. For cloud firms, the cost of compliance would be non-trivial: rewrites for APIs, new contractual models, reworking of bundled offerings, and publishing mechanisms for audits and logs.

---

The possible benefits for Europe​

• Greater competition and lower prices: Reducing lock-in and egress penalties would lower switching costs and enable smaller providers to compete more effectively.
• Improved resilience: Mandating portability and interoperability can blunt the systemic impact of outages by making rapid failover and multi-cloud strategies more practical.
• Boost to European cloud industry: A level playing field could create market opportunities for European cloud providers and specialist entrants, aligning with the Commission’s Cloud and AI Development goals.
• Regulatory leverage on AI deployment: Because cloud is the backbone for AI, regulation that increases contestability could indirectly shape AI market structure—preventing concentration of both compute and data in a few hands.

---

The risks and costs of broadening the DMA to cloud​

While there are tangible benefits, several potential downsides deserve careful analysis.

• Regulatory overreach and fragmentation: The DMA’s obligations were crafted for platforms that mediate end-user relationships at scale. Applying the same toolkit to raw infrastructure providers risks mismatch: some obligations may not translate cleanly to IaaS/PaaS contexts and could create operational friction or unintended technical consequences.
• Investment deterrent: Hyperscalers argue that heavy-handed ex ante constraints could chill investment in capital-intensive data centers and specialized AI accelerators—exactly the investments Europe wants to attract. Critics also warn that forced changes could fragment global cloud architectures, creating inefficiencies.
• Implementation complexity: Interoperability standards and portability tools for cloud are technically non-trivial; mandating them could trigger contentious debates over standards, intellectual property and vendor interoperability that take years to resolve.
• Transatlantic political fallout: Past DMA enforcement has ramped up tensions with the United States. Bringing cloud—where US firms dominate—into the DMA’s scope could increase diplomatic friction, complicate trade talks and invite retaliatory measures or legal challenges.

---

Positions and pushback: industry, think tanks and member states​

Industry groups and leading cloud providers have pushed back against extending DMA-like rules to cloud and AI. They argue that:

• Cloud is fundamentally an infrastructure market, not a consumer-facing platform service,
• Competition is dynamic, driven by product innovation and price performance,
• Heavy regulation could slow critical investments and hamper Europe’s AI competitiveness.

Think tanks and trade bodies, particularly from the US, warn that an expanded DMA could functionally discriminate against non-EU suppliers and fragment cross-border digital services. On the other side, many EU lawmakers and competition experts argue the market is already distorted and needs preventive ex ante rules before gatekeepers entrench AI-era dominance. The debate is live and deeply political.

---

Likely timeline and enforcement scenarios​

Regulators traditionally move deliberately, but political and technological urgency can compress timelines.

• Short term (months): The Commission could open a formal market probe, gather evidence, and seek provisional remedies—while using interim guidance to nudge industry practices.
• Medium term (6–18 months): If the probe finds systemic harm, Brussels could propose either targeted DMA designations for specific cloud services or seek to harmonize DMA obligations with new sectoral acts (e.g., Cloud & AI Development Act).
• Long term (18 months+): Structural remedies or a formal extension of DMA designations could be enacted, followed by compliance timelines and enforcement windows similar to previous DMA processes.

The Commission’s recent use of DMA fines and compliance windows shows it is prepared to enforce aggressively when it determines non-compliance—so regulatory signals should not be dismissed as posturing.

---

Practical steps for enterprises and EU policymakers​

For enterprises that rely on hyperscaler clouds, the outlook requires proactive planning:

• Map dependencies: Catalogue critical services and where they sit (IaaS, PaaS, managed AI, region, contractual exit terms).
• Design for portability: Prioritize containerization, standard APIs and data export mechanisms to reduce future switching costs.
• Contractual hygiene: Review egress fees, SLA definitions, and contractual lock-in clauses with legal advisors.
• Multi-cloud law and governance: Prepare governance models and cost/benefit analyses for multi-cloud strategies.

For policymakers, a balanced approach is essential:

• Targeted remedies: Design interventions narrowly to address clear harm—egress fees, discriminatory licensing—rather than a blanket expansion of DMA where rules may poorly fit the market.
• Standards-first approach: Work with standards bodies and industry to define portability and interoperability specifications that can be mandated if needed.
• Investment safeguards: Pair competition measures with incentives for European data center and compute investment to avoid hollowing out capacity.
• International coordination: Engage the US, UK and other partners to reduce trade friction and create harmonized approaches to cross-border cloud services.

---

Critical analysis: strengths, weaknesses and the institutional test​

Bringing cloud under DMA-style oversight has an intuitive appeal: the internet’s infrastructure is now strategic, and concentration risks systemic failure and undue leverage. The Commission’s move would be a logical extension of a competition policy that now targets platform power, expanding it to infrastructure power.
Strengths:

• Proactive prevention of lock-in before AI cements it.
• Strong enforcement tools (fines, remedies) already exist in the DMA’s toolkit.
• Alignment with parallel EU policy objectives on sovereignty, data access and resilience.

Weaknesses and risks:

• Policy mismatch: The DMA was not originally calibrated for raw infrastructure services; stretching it risks ill-fitting obligations and legal challenges.
• Investment disincentives: Heavy ex ante restrictions risk chilling infrastructure spending at a moment when Europe wants more capacity.
• Implementation complexity: Technical standards, portability tools and contractual frameworks are complex and could take years to design and operationalize.

Institutionally, the Commission must pass a credibility test: demonstrate evidence of tangible, ongoing market failure and craft tailored remedies that solve specific harms without creating excessive friction for legitimate business models. The CMA’s provisional findings provide a credible evidentiary precedent; Bloomberg’s reporting suggests the Commission believes it now has sufficient cause for a probe.

---

What to watch next​

• The formal launch of the Commission’s market probe and the scope of its terms of reference.
• Specific remedies proposed by the CMA and other national regulators as templates for EU action.
• Industry reactions: product roadmaps, new portability tools, or contractual changes that could pre-empt stricter regulation.
• Parallel legislative moves: the Cloud & AI Development Act’s final text and how it coordinates with the DMA and Data Act.

---

Conclusion​

The EU’s consideration of the hyperscalers’ cloud power is not a single-act regulatory intervention but part of a broader reassessment of how digital infrastructure shapes competition, security and sovereignty. The Commission faces a trade-off: act decisively to prevent dominant providers from cementing AI-era lock-in, or risk overreach that chills investment and fragments global cloud markets.
For European businesses and policymakers, the practical imperative is clear: reduce unilateral reliance on a small number of providers today, invest in interoperability and portability mechanisms, and engage in standards work that can make markets more contestable without destroying the incentives for continued infrastructure investment. The Commission’s probe—if launched—will test whether Europe can square those competing demands and design remedies that are both effective and proportionate.

---

Source: Bloomberg.com https://www.bloomberg.com/news/arti...d-power-probed-as-eu-weighs-inclusion-in-dma/