UK CMA to decide on DMCC SMS for Azure and AWS in cloud market

The UK’s competition watchdog has put the country’s two largest cloud providers — Microsoft’s Azure and Amazon Web Services (AWS) — squarely in its sights, and told industry stakeholders it will decide by the end of March whether to escalate the matter under the new digital markets enforcement regime that allows the regulator to impose bespoke conduct obligations on strategically significant firms. This is not a routine competition review: it is a potential activation of the United Kingdom’s fresh Digital Markets, Competition and Consumers (DMCC) regime, and it carries the prospect of legally binding behavioural remedies, mandatory merger notifications, and turnover-based penalties that would reshape commercial terms for cloud customers and vendors alike.

Background​

The Competition and Markets Authority (CMA) set the current sequence of events in motion after an independent inquiry group published provisional findings in late January that concluded competition in the UK cloud infrastructure market "is not working as well as it could." The group estimated UK business spending on cloud services at roughly £9 billion in 2023 and found that Microsoft and AWS each account for a very large share — typically described in CMA materials as within the 30–40% range — leaving the remainder to Google (a much smaller share) and a patchwork of private and specialist providers. The heart of the CMA’s concern is twofold: structural concentration that raises barriers to entry and expansion, and commercial and technical practices that the panel says create switching frictions and “lock-in” for customers.
The CMA’s provisional report singled out several specific sources of potential harm: differential pricing and licensing terms that disadvantage rival cloud suppliers when customers use Microsoft software on non‑Microsoft clouds; egress and data-transfer costs that make it expensive to move workloads between clouds; contract terms and discount structures tied to long-term commitments that effectively discourage switching; and deep technical integration features — data gravity, unique proprietary services and APIs — that make multi‑cloud or cloud‑to‑cloud migration costly and technically complex.
The provisional findings recommended that the CMA should consider whether to designate Microsoft and AWS as firms with “Strategic Market Status” (SMS) for their cloud activities, thereby inviting the regulator to use the DMCC Act’s tools. The CMA later clarified that it would set a decision point — whether to open a digital‑market‑style investigation — by the end of March, signalling the regulator intends to act promptly and use the DMCC framework where appropriate.

---

What the DMCC / SMS regime actually permits​

Understanding the practical implications of an SMS designation is essential: the DMCC regime is not a blunt instrument. It is a bespoke framework that allows the CMA to impose narrowly tailored conduct requirements aimed at fixing market failures identified in an evidence-based investigation.
Key elements of the regime include:

• A threshold gateway: the firm must meet revenue thresholds (global or UK turnover conditions) and the CMA must find the firm has “substantial and entrenched market power” in the relevant digital activity.
• Designation is activity‑specific and time‑limited: SMS will be assessed for a particular digital activity and typically reviewed every five years.
• Tools available to the CMA: impose conduct requirements (behavioural obligations), design and implement pro‑competition interventions (which can range from data‑portability measures to restrictions on self‑preferencing), introduce merger notification duties for the SMS firm, and apply enforcement powers for non‑compliance.
• Penalties and enforcement: the DMCC introduces turnover‑based civil penalties for failures to comply with information requests or remedies. Public reporting and daily penalty regimes are possible. While media reports often cite “fines of up to 10% of global turnover,” the legislative instruments contain nuanced penalty structures (including fixed percentages for different classes of breach and separate provisions for consumer protection offences). In practice, the CMA’s enforcement clout under DMCC is significant and can include recurring penalties for ongoing non‑compliance.

The regime therefore offers the CMA a graduated toolkit: it can require interoperability or open APIs for a specific cloud activity, force clarity and parity in licensing, and restrict contract practices that materially hinder switching — without necessarily resorting to structural remedies in the first instance.

---

Why cloud is different: technical and commercial frictions​

Cloud computing looks deceptively simple at a marketing level — compute, storage, networking on demand. Beneath that simplicity lies an ecosystem built on proprietary services, regionally distributed data centers, and complex licensing relationships with software vendors. The CMA’s concerns touch on well-known industry dynamics:

• Data gravity and latency: datasets grow and tend to attract dependent services; moving petabytes between providers is expensive and slow, making migration materially costly.
• Provider-specific services: many cloud offerings are not pure commodity infra (IaaS) but higher‑level, differentiating managed services, proprietary accelerators and platform integrations (AI accelerators, managed databases, proprietary networking features). These services can lock workloads to a vendor.
• Licensing asymmetries: enterprises running Microsoft software (Windows Server, SQL Server, certain enterprise licences) rely on vendor licence terms that can materially affect the cost calculus of moving that workload to a rival cloud. If it is cheaper to run Windows Server on Azure than on AWS, the price differential is a switching disincentive.
• Commercial rebates and discounting: deep discounting for committed usage, combined with volume‑based rebates and bundling, can create “stay” incentives even where alternative providers would offer better long‑term value.

These factors are not novel. They are exactly what customers, consultants and competitors have been debating for several years in boardrooms and trade associations. What the CMA has done — and what distinguishes this review from previous industry gripes — is to quantify the scale of potential harm and propose using statutory digital markets powers to address them.

---

Where the evidence points — and where it remains provisional​

The CMA’s inquiry group reported sustained returns above the cost of capital for the major players, high estimated switching costs for customers and market shares that imply limited price competition. The provisional findings included a numeric estimate of potential savings to UK cloud customers should competition improve — figures discussed in expert briefings that run into the hundreds of millions of pounds per year. These are material numbers that align with the CMA’s central concern: customers may be paying for friction.
At the same time, the investigation’s findings are provisional. The CMA’s market investigation process includes consultation and responses from affected parties; Microsoft and Amazon have both pushed back, arguing the cloud market is intensely competitive, dynamic and integral to the UK’s technology stack and AI ambitions. They dispute the CMA’s market‑share framing and the weight given to legacy licensing terms relative to fast‑moving developments (for instance, the rapid growth of AI‑native services and emerging competitors).
Practically speaking, the CMA’s provisional case rests on several testable assertions:

• Microsoft’s licensing regimes can and do make it more expensive to run certain Microsoft software on non‑Azure clouds relative to Azure.
• Egress and data transfer charges materially deter switching.
• The structure of contract discounts and incentives significantly reduces customers’ willingness to migrate to competing cloud providers.

All three assertions are subject to empirical scrutiny, and they have been corroborated in varying degrees by market participants, trade groups and other regulators. Competitors and customers have provided evidence to the CMA that aligns with the inquiry group’s concerns. Conversely, Microsoft and AWS have submitted evidence and testimony arguing the statistics and causal links are overstated or mischaracterised.

---

What a formal SMS investigation could require — concrete examples​

If the CMA decides to open an SMS investigation and ultimately designates one or both firms, the range of remedies the regulator could impose is broad but targeted. Possible interventions include:

• Conduct requirements that ensure parity of basic licence terms regardless of cloud host, or that prevent discriminatory pricing terms applied to rival clouds.
• Price‑transparency obligations or constraints on egress/pricing structures to reduce switching friction.
• Technical mandates for interoperability and data portability — for example, requiring export tools and application portability guidance to lower migration costs.
• Merger notification obligations for the designated firms: SMS status can trigger mandatory UK notification for certain deals involving the SMS firm.
• Monitoring and reporting duties to the CMA and independent auditors to ensure the firm follows conduct obligations.

The CMA is likely to favour behaviourally‑targeted remedies first. These are less invasive and can be tailored to the precise sources of harm identified in the inquiry: licencing, contract terms, commercial incentives and specific technical interoperability issues.

---

Risks and trade‑offs for policymakers and customers​

The CMA faces a classic regulatory trade‑off. Left unaddressed, the market’s structural concentration and switching frictions could entrench market power, raise costs for UK firms, and limit the UK’s ability to nurture local cloud competition and innovation. Conversely, aggressive or poorly calibrated intervention risks chilling investment, deterring new capital for UK cloud infrastructure and alienating global tech firms at a time when policymakers also emphasise growth.
Key risks include:

• Investment flight or slowed capacity expansion: cloud providers may reassess commercial terms for new infrastructure in the UK if they judge regulatory burden or compliance costs too high.
• Regulatory overreach: imposing requirements that pressure providers to open proprietary services could undermine product quality or security if technical constraints are not properly understood.
• Enforcement complexity: technical mandates for interoperability require precise specification; poorly designed rules can create perverse outcomes that reduce product differentiation and innovation.
• Global fragmentation of cloud rules: divergent national approaches could create compliance burdens for multinational customers and providers, complicating cross‑border service delivery.

For cloud customers, the immediate risk is legal and contractual uncertainty during any designation process. Large enterprises may face temporary difficulties negotiating long‑term contracts if pricing and data‑transfer obligations are in flux; smaller businesses could be caught between competing counsels recommending different procurement postures. But the long‑term upside for customers — lower switching costs, clearer licence parity and better multi‑cloud portability — is compelling if regulators get the design right.

---

How Microsoft, AWS and other ecosystem players are likely to respond​

Expect a multi‑front response from the providers under scrutiny:

• Legal and policy challenges: both firms will marshal regulatory and legal resources to contest factual findings and advocate for proportional responses.
• Commercial adjustments: companies often respond to regulatory pressure by altering rebate schemes, clarifying licensing terms, and introducing migration tools to blunt criticism.
• Lobbying and reputational campaigns: framing the debate in terms of investment, UK competitiveness, and the benefits of current cloud economics.
• Technical initiatives: accelerated provision of cross‑cloud tools, new data export features, and improved migration documentation to head off mandatory remedies.

Third‑party players — major customers, integrators, managed‑service providers and niche cloud vendors — have their own incentives. Some will lobby the CMA for robust action to lower switching costs; others will stress the importance of stable contractual terms to support investment and complex transformation projects.

---

What enterprises should do now — practical steps​

Enterprises should treat this regulatory process as both a legal and procurement signal. Practical steps for CIOs, procurement and legal teams include:

• Audit current cloud exposure and contract terms: map where critical workloads sit, what licences are attached, and what egress and transfer costs apply.
• Model migration sensitivity: quantify the cost and technical complexity of moving representative workloads between cloud providers.
• Review licence entitlements: determine whether existing licences contain portability or mobility provisions, and whether vendor programmes (e.g., licence mobility schemes) are used optimally.
• Engage with vendors: request written clarifications on egress pricing, migration tooling and licence parity, and document responses in procurement files.
• Scenario planning: build procurement playbooks for potential outcomes — from minor contractual clarifications to formal regulatory remedies that require operational changes.
• Consider staged multi‑cloud strategies: for new projects, design cloud‑agnostic architectures where feasible to lower future switching costs.

These steps are not merely compliance theatre. Many firms already bear significant hidden switching costs; early assessment can convert regulatory uncertainty into a strategic procurement advantage.

---

Broader competition policy implications and global context​

The CMA’s interest in the cloud market is part of a wider international trend: regulators in Europe and elsewhere are asking whether digital platforms that control critical infrastructure and inputs create systemic lock‑in. The UK’s DMCC regime is roughly analogous to the EU’s Digital Markets Act and mirrors other national efforts to temper the market power of dominant platform providers.
The cloud sector’s increasing centrality to AI, apps and critical national infrastructure elevates the stakes. A single provider’s technical or commercial leverage can cascade into adjacent markets — for example, preferential bundling of compute and software licences could entrench advantage in both cloud and enterprise software markets. Regulators are attuned to these “leverage” effects and the potential for cross‑market foreclosure.
At the same time, the cloud industry is highly dynamic. New entrants, regional hyperscalers, sovereign cloud initiatives, and open‑source driven portability projects (e.g., container orchestration standards, container images, and cross‑cloud managed services) change the competitive landscape. Any regulatory action must therefore be forward‑looking and technically literate.

---

Strengths of the CMA’s approach — and where it must be cautious​

Strengths

• Focused, evidence‑led scrutiny: the CMA’s provisional findings are detailed, quantify potential harm and identify specific mechanisms (licensing terms, egress costs, discount structures).
• Tailored regulatory tools: DMCC’s SMS framework allows targeted remedies rather than blunt structural breaks, providing flexibility.
• Customer protection orientation: the CMA centers business customers’ experiences — potential savings, interoperability, and choice — in its analysis.
• Alignment with broader policy: the CMA’s approach dovetails with other digital market oversight, reducing regulatory arbitrage.

Caveats and risks

• Technical complexity: specifying enforceable technical remedies requires deep domain knowledge. Poorly specified obligations could harm security or product capability.
• Measurement challenges: causation between licence terms and market outcomes is complex and contested; the CMA must demonstrate clear causal links to justify intrusive remedies.
• International coordination: unilateral UK measures risk creating compliance costs for multinational providers; coordination with EU and other regulators could help but is politically and technically challenging.
• Investment trade‑offs: the CMA must balance pro‑competition goals against potential dampening of long‑term investment incentives in data centres and specialised services.

---

What to watch in the coming weeks​

The end of March decision point is a procedural hinge: the CMA will either open an SMS investigation under the DMCC or decide to pursue alternative market‑remedy routes. Watch for:

• The CMA’s formal announcement and scope: whether the regulator opens one or two SMS investigations (Azure, AWS separately or a combined cloud‑activity probe).
• Early indications of remedy focus: whether the CMA signals an emphasis on licensing parity, data portability, egress pricing, or contract behaviour.
• Industry counter‑proposals: structured commitments by Microsoft or AWS to change their licensing or egress models to avoid formal designation.
• Customer and third‑party inputs: major UK enterprises, trade bodies and cloud integrators typically publish position papers or respond in consultations — their evidence will shape the CMA’s final design.
• International spillovers: regulators in the EU and other jurisdictions may take cues, and we could see coordinated or divergent regulatory trajectories.

---

Conclusion​

The CMA’s imminent decision is a consequential moment for the UK cloud market and for global digital markets policy. If the regulator opens an SMS investigation into Microsoft and AWS, we will enter a regulatory phase where commercial contracts, technical interoperability and the economics of cloud migration are not only matters for procurement teams and attorneys but are subjects of enforceable public policy. For cloud customers, the potential payoff is reduced switching friction and clearer licensing terms; for providers, the process will bring compliance costs and a need to demonstrate that open competition can coexist with product differentiation.
The key question is not whether the cloud industry is dynamic — it clearly is — but whether that dynamism delivers competitive outcomes for UK businesses and public services. The CMA’s task is to translate that empirical question into specific, proportionate rules that reduce lock‑in without undermining innovation. The end‑March decision is the regulator’s first operational answer; whatever it decides, the reverberations will be felt across procurement meetings and boardrooms, as well as in the technical architecture of how Britain — and often the world — builds and deploys digital services.

---

Source: Law360 UK cloud-probe decision to come in first quarter, CMA’s Cardell says | MLex | Specialist news and analysis on legal risk and regulation