Europe's DSA VLOP ruling for Amazon and DMA cloud gatekeeper probes

Amazon’s legal loss and Brussels’ fresh cloud probes mark a watershed week for Big Tech in Europe, placing both marketplace algorithms and the backbone of modern internet services under unprecedented regulatory pressure. The General Court of the European Union on 19 November 2025 confirmed that Amazon’s online marketplace meets the threshold to be treated as a Very Large Online Platform (VLOP) under the Digital Services Act (DSA), a designation that triggers the DSA’s strictest transparency, safety and risk-management obligations. At almost the same moment, the European Commission launched formal market investigations — announced 18 November 2025 — to determine whether Amazon Web Services (AWS) and Microsoft Azure should be treated as gatekeepers under the Digital Markets Act (DMA), a status that would impose far-reaching restrictions on how the biggest cloud providers operate, bundle services and handle interoperability.
This feature unpacks the legal rulings and probes, explains what the new obligations mean in practice, analyses the strategic and technical consequences for platforms, enterprises and cloud customers, and offers practical advice for IT teams and procurement leaders navigating a shifting compliance landscape. The decisions are not theoretical: they were prompted by scale, market effects and concrete incidents — including a high-profile AWS outage in October 2025 — and they could reshape procurement, architecture and competition in Europe’s digital markets.

Background​

Why Europe’s twin laws matter now​

Europe has moved from designing rules to enforcing them. Two complementary regulatory pillars define the current moment:

• The Digital Services Act (DSA) addresses online safety, the circulation of illegal or harmful content and consumer protection on very large platforms. It creates obligations around transparency, risk assessment, access for researchers, and advertising disclosure for platforms that exceed population-based thresholds.
• The Digital Markets Act (DMA) targets contestability and anticompetitive conduct by so-called gatekeepers — platforms whose services act as essential gateways for businesses to reach customers. The DMA imposes behavioural obligations and bans on certain tying and self-preferencing practices.

Both regimes are operational and enforceable. The DSA uses a size-based trigger — platforms with more than 45 million monthly EU users (roughly 10% of the EU population) can be designated as VLOPs and face intensified duties. The DMA sets quantitative thresholds for gatekeeper designation but also foresees market investigations where the Commission can assess structural gatekeeper effects even if numeric thresholds are not strictly met.

Recent actions and precise dates​

• 18 November 2025: European Commission announces market investigations into cloud computing services, including parallel inquiries assessing whether AWS and Azure should be designated as DMA gatekeepers, and a horizontal probe into whether the DMA’s current toolbox suits cloud markets.
• 19 November 2025: The General Court of the European Union issues a judgment (Case T‑367/23) dismissing Amazon’s challenge to its VLOP designation under the DSA and upholding the Commission’s decision.

These are active, time-bound processes: the cloud market investigations aim to reach preliminary conclusions within roughly 12 months, and if gatekeeper designations occur, the DMA provides a six-month compliance window for the designated services.

---

What the General Court ruling on Amazon actually does​

The legal core: marketplaces as platforms of systemic influence​

The court’s judgment is consequential because it underscores a simple regulatory principle: scale matters more than sector when it comes to systemic risk. Amazon argued that its marketplace is fundamentally a transactional retail platform — not a social network — and therefore should not be swept into the DSA’s most demanding regime. The Court rejected that binary.
In practical terms, the ruling confirms that an online marketplace that reaches tens of millions of EU users can have societal-level effects by shaping what consumers see and buy, amplifying unsafe or misleading products, and influencing market outcomes. The DSA’s application to marketplaces treats their reach and algorithmic shaping as potential systemic risks, requiring stronger oversight.

Key obligations that follow from VLOP status​

For Amazon Store — and, by extension, any VLOP — the DSA imposes a set of material obligations. Companies must:

• Conduct regular, evidence-based risk assessments covering how their services can amplify illegal content, unsafe products, misleading advertising and societal harms.
• Implement risk mitigation measures and report on their effectiveness.
• Provide independent audits of their systems and operations.
• Offer access to platform data for vetted researchers and competent authorities.
• Maintain public advertising repositories showing who bought ads, targeting criteria and delivery metrics for transparency.
• Provide certain user controls, including at least one non-profiling option for recommender systems where applicable.
• Cooperate with Digital Services Coordinators in member states and submit to supervisory fees and enforcement.

The ruling explicitly validated the EU’s assessment that these obligations are proportionate to the public interest in consumer protection and marketplace integrity. It also upheld the Commission’s authority to make such designations and the associated supervisory measures.

Fines and enforcement stakes​

Non-compliance under the DSA can carry material penalties. Administrative fines for breaches can reach up to 6% of global annual turnover, and periodic penalty payments can reach up to 5% of average daily worldwide turnover for ongoing breaches. These are not abstract amounts for hyperscalers. The financial and reputational stakes are substantial, and the regime includes tight reporting, audit and transparency flows designed to increase external visibility into platform behaviours.

---

The DMA cloud probes: why AWS and Azure are under the microscope​

What the Commission is investigating​

The Commission opened three linked inquiries:

• Two market investigations focused on whether AWS and Azure function as gatekeepers in cloud computing, assessing whether they act as critical gateways between businesses and end users despite falling short of classic DMA thresholds.
• A horizontal (sector-wide) probe to assess whether DMA obligations, as currently framed, are effective in addressing common cloud market practices that could limit contestability — for example, restricted interoperability, conditional access to data, or bundling and tying.

These market investigations are distinctive because they apply the DMA’s conceptual lens to infrastructure rather than to consumer-facing social networks or app stores. The Commission will collect evidence from cloud providers, large customers (hyperscale customers and major enterprises), smaller cloud rivals, ISVs, tech associations and public-interest stakeholders.

Why the cloud is different — and why regulators care​

Cloud infrastructure is the backbone of digital services, AI development and critical national infrastructure. A small number of providers control much of the market — both globally and within Europe. That concentration creates potential lock-in dynamics:

• Vertical integration: cloud providers can bundle platform services, storage, compute and higher-level AI tools, making it harder for customers to switch or use third-party alternatives.
• Data access and portability: business users may rely on provider-specific features and APIs, complicating data portability and multi-cloud strategies.
• Interoperability barriers: insufficient standards or blocked interfaces can impede competitors and raise switching costs.
• Economic leverage: dominant cloud providers can influence pricing, procurement norms and the structure of cloud marketplaces.

Regulators are concerned that these structural realities could limit contestability and raise costs for European businesses dependent on cloud services.

Timelines and consequences​

• The Commission aims to complete the cloud market investigations within roughly 12 months of the launch.
• If AWS or Azure are designated as gatekeepers for cloud services, those services would have six months to comply with DMA obligations.
• The DMA permits fines of up to 10% of global annual turnover for breaches, and up to 20% for repeated infringements; additional periodic penalties and structural remedies are also available.

These timelines matter: investigations, information requests and possible interim measures will influence commercial behaviour, cloud contracts and procurement practices during the coming year.

---

The AWS outage connection: technical failure meets regulatory scrutiny​

A salient trigger for the cloud inquiries was a major AWS outage in October 2025 that rippled across global services. The incident — traced to a DNS/operational failure affecting key services in a primary region — highlighted the societal and business fragility that can follow from dependency on a single cloud provider or region.
From a regulatory standpoint, outages underscore two concerns:

• Market power magnified risk: when a provider’s failure produces systemic harm across multiple sectors, it demonstrates the broad societal impact that regulators aim to guard against.
• Switching and resilience deficits: if customers face prohibitive costs and complexity to run multi-cloud failover or replicate critical services elsewhere, dominance can amplify fragility.

Put differently, an outage is not by itself an antitrust violation — but it is the type of real-world event that gives both regulators and policymakers reason to examine market structure, competition, and the availability of robust switching and interoperability solutions.

---

Commercial, technical and legal implications​

For Amazon (marketplace) and other VLOPs​

• Compliance programs will require immediate investment in audit-ready processes: algorithmic explanations, ad transparency tooling, public ad repositories, researcher data access protocols, and strengthened product-safety mechanisms.
• Marketplace ranking algorithms and recommender systems will be under more scrutiny. Companies must be able to demonstrate unbiased design choices and offer non-profiling recommendation options.
• Consumer-facing product safety workflows will need to be hardened, including tighter seller verification, faster takedown processes for counterfeit or hazardous goods, and more robust labeling.
• Expect increased litigation and appeals. Amazon has signalled intent to appeal the General Court ruling; even so, enforcement and supervision will proceed while disputes run.

For AWS, Azure and cloud customers​

• If gatekeeper designation follows, cloud-specific DMA obligations could prohibit certain bundling/tie-in behaviours, require clearer APIs for interoperability, and mandate access to specific data and technical interfaces for business users.
• Cloud procurement strategies will shift: large enterprises and public-sector buyers will accelerate multi-cloud, hybrid-cloud and data portability clauses in contracts to reduce vendor lock-in risks.
• Software vendors (ISVs) and startups may benefit if contractual or technical barriers are reduced, potentially enabling more competitive markets for managed services and higher-level AI capabilities.
• Conversely, providers warn that forced interoperability or restrictions on bundling could raise costs, slow innovation cycles and complicate investment models for capital-heavy infrastructure.

For software architects and procurement teams​

• Vendor risk assessments will escalate beyond simple SLA checks: they must consider regulatory compliance risk, auditability, and provider readiness to comply with DSA/DMA obligations.
• Architecture changes to reduce single-provider risk will include:
• Tactical multi-region and multi-cloud deployments for mission-critical services.
• Decoupling architecture from provider-specific managed services where feasible, using open standards or cloud-agnostic layers.
• Implementing robust observability and failover testing to validate business continuity plans.
• Procurement will increasingly insist on contractual clauses for interoperability, data portability, vendor escrow, and technical exit plans.

---

Strategic and geopolitical considerations​

A European push for digital sovereignty​

The twin actions are part of a broader European strategy to secure digital sovereignty: ensuring critical infrastructure, AI development and digital markets remain competitive, resilient and aligned with EU values. The cloud probes are not isolationist; they aim to protect competitiveness and reduce dependency risks that could hamper European innovation.

Trade and diplomatic fallout​

Designations and enforcement against large US-based tech firms can amplify transatlantic tensions. Policymakers are trying to calibrate enforcement to avoid political escalation while asserting regulatory independence. Past DMA enforcement decisions showed a cautious approach in penalty sizing and public messaging; future proceedings will be closely watched for their diplomatic effects.

Market adjustments and opportunities​

• Smaller cloud providers and regional players may gain traction if rules spur interoperability and lower switching costs.
• Open-source and standards-driven solutions could see renewed demand as buyers seek portability and independence from proprietary ecosystems.
• Cloud-native start-ups focused on portability, data federation and cross-cloud orchestration stand to benefit from a regulatory environment that prizes contestability.

---

Risks, trade-offs and unresolved questions​

Compliance costs vs. consumer protection​

Regulation imposes costs. Platforms argue that transparency obligations, audit demands and forced interoperability will increase compliance burdens, potentially slowing innovation. Regulators counter that consumer protection, competition and strategic autonomy justify the costs. The balance between these priorities will be litigated politically and in court.

Technical feasibility and operational risk​

Not all DMA-style obligations map cleanly onto cloud infrastructure. Questions remain about what precise technical interfaces or interoperability standards the Commission would require, and whether those mandates are technically achievable without fragmenting performance or introducing security risks.

Litigation and appeals​

Amazon’s appeal trajectory and potential legal challenges from cloud providers mean that final outcomes could take years. For businesses, this creates a period of regulatory uncertainty: enforcement may proceed in incremental steps while judicial processes unfold.

Unverifiable or evolving claims​

Certain claims made by companies — for instance that specific transparency measures would necessarily disclose trade secrets, or that forced interoperability will materially raise costs — are difficult to quantify prior to concrete regulatory designs. These claims should be treated cautiously and weighed against empirical evidence and independent technical analysis.

---

Practical guidance for IT leaders and procurement teams​

• Treat the next 12 months as a transitional risk window: build compliance awareness into procurement decisions and vendor management processes today.
• Reinforce contractual exit and portability clauses: require providers to commit to data extraction procedures, technical assistance for migrations and escrow of critical metadata.
• Architect for resilience: adopt multi-region and multi-cloud patterns for mission-critical workloads; prioritize stateless designs and avoid deep dependence on proprietary APIs for core business logic.
• Monitor regulatory developments: maintain an internal tracker for DSA/DMA milestones, information requests and sector guidance, and be prepared to respond to supplier audits or changes.
• Re-evaluate vendor lock-in: quantify the operational and switching costs of provider-specific services; where costs are disproportionate, design migration paths.
• Demand vendor transparency: insist on visibility into platform change management, incident reports and post-incident root-cause analyses.

---

Conclusion​

Europe’s recent rulings and investigations reflect a clear regulatory thesis: where digital platforms and infrastructure reach a scale that can affect markets, public safety or competition, European institutions will assert regulatory control — and they will use tools calibrated to reveal how services work, how risks are managed, and whether market power is being exercised in ways that harm contestability or consumers.
For Amazon, the General Court’s confirmation of VLOP designation under the DSA forces operational transparency and risk governance onto a business model that had argued it was categorically different from social networks. For AWS and Azure, the Commission’s market investigations under the DMA place core infrastructure inside a competition framework that has historically focused on consumer-facing platforms.
The practical upshot for enterprises, system architects and procurement teams is immediate and concrete: expect more information demands, tighter vendor governance, and a regulatory environment that will reward portability, interoperability and demonstrable risk management. Over the next 12 months, as market investigations unfold and judicial appeals proceed, technology buyers should design for resilience, demand contractual protections, and treat regulatory risk as part of their core vendor-management strategy. The stage is set for a new phase in digital markets where scale invites scrutiny and where architecture, procurement and compliance will all be reshaped by regulatory outcomes.

---

Source: channelnews.com.au channelnews : Microsoft and Amazon Face Tech Crackdown