UK CMA’s Hybrid Cloud Plan: Commitments for AWS and Microsoft Probe for Software

The United Kingdom’s cloud competition debate has entered a distinctly hybrid phase: the regulator is trying to soften some of the market’s sharpest switching frictions while still opening a fresh antitrust-style probe into Microsoft’s wider software ecosystem. On March 31, 2026, the Competition and Markets Authority chose voluntary commitments from Microsoft and Amazon Web Services over immediate binding designations in cloud infrastructure, but it also signaled that the most durable competition concerns may now sit in the software layers above the cloud. That split decision matters because cloud computing is no longer just a back-office utility; it is the substrate for enterprise IT, public-sector digitization, and the AI services now being layered into workplace tools. The CMA may have avoided a more confrontational move, but it did not retreat from the basic premise that hyperscaler power is shaping how digital markets evolve.

Overview​

The CMA’s cloud decision did not appear out of nowhere. The UK first began seriously examining cloud services in 2022 and 2023, when Ofcom concluded that cloud markets merited deeper scrutiny and referred the sector to the CMA for further investigation. Ofcom’s study framed cloud as essential infrastructure for the modern economy, not merely a niche technology market, and it raised concerns that competition might not be working as well as it should. That early warning set the stage for a lengthy market investigation that eventually produced a 2025 report recommending that Microsoft and AWS be considered for Strategic Market Status, or SMS, under the Digital Markets, Competition and Consumers Act.
The timing matters because the DMCCA is the UK’s new digital markets regime, designed to give the CMA targeted powers over firms with entrenched market power in specific digital activities. The law is intended to let the regulator move faster than traditional competition enforcement, with conduct requirements tailored to the behavior of designated firms. In theory, that should make it easier to tackle lock-in, self-preferencing, and technical barriers to switching before those problems become entrenched. In practice, the CMA’s latest move suggests a preference for negotiated remedies in the cloud layer, while reserving tougher structural pressure for Microsoft’s broader software stack.
That split approach is important because cloud market power is not isolated from the rest of the software economy. The CMA’s own cloud findings, as summarized in the public record, point to a market where high capital costs, technical fragmentation, egress fees, and staff retraining costs all reinforce incumbent advantage. The regulator also identified the breadth of Microsoft’s product portfolio as a separate competitive problem, especially where productivity software, operating systems, database tools, and security products reinforce one another. That means cloud is not just a capacity issue; it is part of a wider ecosystem of control over enterprise workflows.
The newest layer of concern is artificial intelligence. The CMA’s March 2026 decision specifically flagged the growing integration of advanced AI and agentic tools into workplace software, indicating that competition policy is now trying to get ahead of product bundling before it hardens into the market norm. That is a subtle but significant change in posture. The regulator is not only asking whether cloud customers can switch today, but whether AI-enhanced productivity suites will make it even harder to switch tomorrow.

The Long Road to the Cloud Probe​

Cloud infrastructure regulation in the UK has evolved through a sequence of studies, referrals, and consultations rather than a single dramatic intervention. Ofcom’s 2023 work was an early signal that public policy makers were becoming uneasy about the market’s concentration and the strategic importance of cloud services. Its recommendation pushed the issue into the CMA’s hands, and the CMA then spent years gathering evidence from providers, customers, and analysts. That long process reflects a classic competition-policy dilemma: the technology changes quickly, but the remedies often arrive slowly.
The market investigation’s final recommendation in 2025 was more assertive than the March 2026 outcome. The inquiry group said the CMA should consider SMS designation for Microsoft and AWS in relation to cloud services, which would have opened the door to direct conduct requirements. That recommendation is notable because it indicates the investigative staff saw something more than ordinary market concentration. They saw a set of persistent market features that were keeping customers inside the orbit of the largest providers.

Why the three-year timeline matters​

The length of the investigation is not just procedural trivia. The longer a cloud probe takes, the more the market can move ahead of the rulebook, especially when AI infrastructure, procurement patterns, and product bundling are changing at speed. By the time the CMA settled on voluntary commitments, the market had already absorbed years of growth in AI-demanded compute and new enterprise software integrations. That makes the question of enforcement urgency harder to avoid. Delay can preserve flexibility, but it can also normalize the very behavior regulators want to change.
The CMA’s defenders will argue that a detailed record was necessary because cloud markets are technically complex and the consequences of blunt intervention could be costly. That is a fair point. Yet there is a real tension between building a robust case and allowing incumbents to consolidate even more power while the case is being built. The cloud market rewards scale, and scale tends to compound over time.
A second reason the timeline matters is that the UK is not regulating in a vacuum. EU action, especially through the Data Act and the Digital Markets Act, has already created a reference point for what switching and interoperability rules can look like. UK regulators are clearly aware of that benchmark. The CMA has repeatedly signaled that it prefers to align with European outcomes where possible, which helps avoid fragmentation but also risks making the UK a follower rather than a lead jurisdiction.

• The cloud investigation began with Ofcom’s study and moved into the CMA’s hands.
• The market investigation lasted roughly three years.
• The final recommendation was to consider SMS designation for Microsoft and AWS.
• The March 2026 decision instead favored voluntary commitments plus a separate Microsoft probe.
• The UK is now effectively running a two-track cloud and software competition policy.

What the CMA Found in Cloud​

The CMA’s cloud findings, as described in the public record, revolve around a familiar but powerful combination of barriers to exit and barriers to comparison. High capital costs make it hard for new entrants to build rival infrastructure at meaningful scale. Technical fragmentation makes services look different enough that customers cannot easily compare them or move applications between providers. And the more an enterprise trains its workforce around one provider’s tools, the higher the internal cost of leaving.
Egress fees are the most visible expression of the switching problem. They are essentially tolls charged when data leaves a provider’s system, and they can make migration materially more expensive than many buyers expect. In a market where data gravity already encourages stickiness, egress fees reinforce the economic logic of staying put. The CMA’s remedies therefore go to the heart of customer lock-in rather than merely tidying up a peripheral complaint.

Switching costs are not just technical​

One of the most useful insights in the CMA’s investigation is that cloud lock-in is rarely caused by one factor alone. The problem is a stack of frictions: technical incompatibility, operational risk, training sunk costs, and procurement inertia. Even if a customer can technically migrate workloads, the project may still be too disruptive to justify in business terms. That is why competition authorities increasingly treat “switching” as an ecosystem problem rather than a one-off pricing issue.
This is especially relevant for enterprise IT, where cloud transformation projects often become multi-year commitments. Once a company has aligned its identity management, security tooling, database stack, and internal workflows around a platform, the exit cost becomes organizational rather than merely financial. In that sense, the CMA is regulating path dependence as much as pricing.
The public sector makes the issue even more important. The CMA found that Microsoft and AWS appear to be the largest cloud providers to government, which creates a feedback loop: public contracts reinforce scale, and scale reinforces credibility in public procurement. When critical public services rely on the same hyperscalers as private enterprise, the line between market leadership and infrastructural dependency starts to blur. That is why cloud competition policy has become a strategic policy issue rather than a narrow consumer issue.

• Egress fees can deter migration even when customers want to switch.
• Technical fragmentation raises comparison and integration costs.
• Training lock-in keeps organizations tied to one ecosystem.
• Public procurement can reinforce incumbent dominance.
• Broad product portfolios extend cloud power into adjacent software layers.

Why Microsoft Is the Main Target Now​

Microsoft’s position is especially sensitive because its cloud business is not isolated from its office software, desktop operating systems, databases, and security offerings. The CMA’s new SMS investigation will examine productivity software, operating systems, database management, and related security services, which is a much broader frame than cloud infrastructure alone. That broadness matters because Microsoft’s competitive advantage is often cumulative: one product strengthens another, and the whole stack becomes more difficult for customers to leave.
The regulator’s concern about pricing asymmetry is telling. The public record indicates that Microsoft charges more for some software when it is distributed via AWS and Google Cloud than when it is used on Azure. If accurate, that is a classic example of ecosystem power influencing distribution terms in a way that may disadvantage rival platforms. It is also the kind of conduct that competition regulators increasingly see as a sign of leveraging, not just ordinary product differentiation.

The AI overlay changes the stakes​

The CMA’s decision to examine advanced AI embedded in workplace tools is especially significant. AI assistants are not just features; they are increasingly gateways to workflow control, data access, and user dependency. If a dominant vendor can fold AI into an already sticky productivity suite, it may create a new generation of lock-in that looks less like licensing and more like behavioral dependence. That is exactly the kind of market evolution competition policy tries to stop before it becomes irreversible.
This also helps explain why the CMA is treating Microsoft differently from AWS. AWS is dominant in cloud infrastructure, but Microsoft has a much deeper presence in enterprise software used by workers every day. That gives Microsoft a distribution channel into the organizational layer where defaults, permissions, and user habits are formed. For regulators, that is a more dangerous place for market power to settle.
The consumer angle is subtler, but it still matters. Consumers may not buy cloud infrastructure directly, yet they experience its downstream effects through outages, service availability, app performance, and the pricing of the software ecosystems their employers or schools use. In that sense, the CMA’s Microsoft investigation is not only about enterprise procurement; it is about the architecture of digital dependence.

• Microsoft’s productivity software is central to enterprise switching costs.
• Its operating systems and security products deepen ecosystem lock-in.
• Its AI integration could create new defaults that are hard to unwind.
• Its cloud ties can influence pricing across rival infrastructures.
• The new probe may test the limits of software bundling in a cloud-first era.

Voluntary Commitments vs Binding Remedies​

The biggest criticism of the CMA’s cloud decision is not that it acted, but that it chose the softer tool. Voluntary commitments can be faster to secure, less intrusive to administer, and easier to tailor to technical realities. They also avoid the legal and political friction that often accompanies formal market designations. But they tend to depend on goodwill, and goodwill is not the strongest basis for disciplining firms with dominant market positions.
The commitments reportedly include reductions in egress fees, interoperability measures, clearer processes for applying for cross-cloud tools, and steps to make it easier to manage applications across clouds. Those are meaningful on paper. The problem is that commitments often look better in a press release than in a migration project, where details such as timing, scope, and engineering support determine whether the promised change actually reduces switching costs.

What makes a remedy effective​

For cloud regulation, an effective remedy must do more than announce intent. It must change the economics of switching, reduce the engineering burden of interoperability, and make compliance measurable enough that customers can trust the process. That usually means clear standards, predictable timelines, and enforcement mechanisms with real penalties if a provider drifts back toward friction. Without those safeguards, voluntary commitments can become a way to delay sharper intervention.
There is also a political economy issue. Once regulators accept softer remedies, incumbents can argue that the core problem has already been addressed. That can cool momentum for stronger action even if customer pain persists. In a fast-moving sector like cloud, that rhetorical closure can be almost as valuable to large firms as a legal victory.
Still, the CMA is not operating in a pure vacuum. The EU’s Data Act will ban switching fees from 2027 and prohibit technical, contractual, and organizational obstacles to switching. That creates a concrete benchmark, and UK providers have already responded by lowering egress fees in anticipation of tougher rules. The British commitments therefore sit inside a broader regulatory convergence, even if the UK has chosen a more negotiated route.

• Voluntary commitments can be faster than formal designations.
• They are also typically weaker to enforce.
• Remedies need clear metrics and deadlines to matter.
• EU policy is already making the market more receptive to switching reform.
• The risk is that soft law becomes a substitute for structural change.

The EU, the UK, and Regulatory Convergence​

The UK’s cloud move cannot be understood without the European backdrop. The EU has already built a switching and interoperability framework through the Data Act, and it is also using the Digital Markets Act to test whether cloud giants should face additional obligations. That matters because the UK and EU are both trying to solve the same competition problem, and neither wants to leave a loophole that lets providers arbitrage between jurisdictions.
The UK’s willingness to say it will extend to Britain any EU standards that promote multicloud and switching is a pragmatic move. It reduces compliance fragmentation and gives customers more confidence that reforms are not merely symbolic. Yet it also suggests that the UK is following rather than shaping the international regulatory agenda. For a market as globally integrated as cloud, that may be sensible; for a government trying to project digital leadership, it may be less satisfying.

Cross-border policy pressure​

There is a real feedback loop here. If the EU moves first and demonstrates that switching and interoperability mandates are workable, the CMA gains political cover to do more. If the UK pushes more gently, EU findings can still pressure firms to adopt similar practices across both markets. Either way, the cloud sector is increasingly governed by a transatlantic choreography of competition policy rather than by one country alone.
That choreography also affects vendors’ compliance strategies. If Microsoft or AWS must support multicloud portability in one major market, they may find it cheaper to roll out similar tools elsewhere. That means even limited regulatory wins can have an outsized global effect, especially in a sector where product development is already centralized.
But convergence has limits. The EU’s Data Act focuses heavily on switching and obstacles to migration, while the CMA’s new Microsoft probe reaches deeper into product bundling and AI integration. Those are related but not identical problems. The result may be a layered regulatory map in which the UK is trying to probe the software stack above the cloud while Europe focuses on the cloud itself.

• The EU Data Act is a major reference point for switching rules.
• The DMA could target broader bundling and gatekeeper conduct.
• The UK is trying to avoid becoming a regulatory outlier.
• Cross-border alignment may help customers more than it helps firms.
• Different legal tools are now attacking different layers of the same ecosystem.

The Politics of CMA Independence​

The CMA’s decision also lands in a politically charged environment. The replacement of former chair Marcus Bokkerink with ex-Amazon executive Doug Gurr has intensified scrutiny of whether the agency is becoming more cautious. Gurr recused himself from the cloud case because of a potential conflict, but the controversy over his appointment has already made the CMA’s strategic choices harder to interpret as neutral technocratic judgments. Perception matters in competition enforcement because credibility is part of the remedy.
Critics have argued that the agency’s recent reliance on voluntary commitments reflects a softer enforcement culture, especially after a series of high-profile decisions that did not result in the strongest available interventions. The CMA, for its part, has defended those commitments as a way to resolve urgent issues more quickly after long investigations. Both positions can be true at once: the regulator may be acting pragmatically while still appearing reluctant to use its full power.

Why independence is a market issue​

Regulatory independence is not an abstract governance question. In digital markets, the perceived strength of the regulator affects how seriously firms take the threat of intervention. If incumbents believe the agency is likely to settle, they have little incentive to redesign product behavior preemptively. If customers believe the regulator will not back up its findings with force, they will also be less likely to plan around promised change.
That dynamic helps explain why critics have focused on the gap between the CMA’s analytical conclusions and its chosen remedies. A three-year investigation that ends in voluntary commitments may still produce practical improvement, but it may also signal that the regulator is more comfortable managing friction than confronting it. In the cloud market, where leverage is built into the architecture itself, that is a consequential distinction.
The government’s pro-growth rhetoric adds another layer of pressure. The CMA is increasingly expected to show that it can support investment and innovation, not just police bad behavior. That framing is attractive politically, but it can pull the regulator toward compromise in precisely the markets where sharper intervention may be needed. The cloud sector is one of those markets because it combines growth potential with systemic risk.

• Political pressure can make soft remedies look more attractive.
• Independence influences how firms price regulatory risk.
• Customer trust depends on visible enforcement, not just analysis.
• Growth policy can be compatible with competition policy, but not always.
• The CMA’s credibility now hinges on whether commitments actually bite.

Implications for Enterprise Customers​

For enterprise buyers, the immediate question is not ideological; it is operational. If the commitments materially reduce egress fees and improve interoperability, cloud customers may gain more bargaining leverage and better multicloud options. That could reduce the risk of being trapped in one provider’s ecosystem and make architecture planning more flexible. In theory, that should strengthen procurement discipline and increase long-term resilience.
But enterprise IT leaders know that policy changes rarely cascade into cleaner migrations overnight. Tools need to be documented, support models need to be clarified, and security and identity systems must still be made to work across providers. The CMA’s emphasis on standardized public documentation and easier access to interoperability tools is therefore sensible, but the proof will be in implementation. If the process remains opaque, many firms will still choose inertia over transition.

Procurement and governance effects​

The public sector is likely to notice the reform signal first. Government buyers and large regulated enterprises are especially sensitive to concentration risk, vendor lock-in, and auditability. If the new rules improve contract comparability, they could create a more competitive tender environment and reduce the implicit premium of staying with a single hyperscaler. That would be a meaningful gain even if it falls short of a full market redesign.
Private enterprises may see benefits more unevenly. Large multinationals with the internal engineering capacity to pursue multicloud could use the new commitments quickly. Smaller firms, by contrast, may still lack the staff, governance maturity, or migration budgets to take advantage of them. That is why regulators need to distinguish between formal accessibility and practical accessibility.

• More interoperability can improve procurement leverage.
• Lower egress fees can reduce migration penalties.
• Standardized documentation helps compliance and planning.
• Larger enterprises may benefit first.
• Smaller firms may still need external help to switch meaningfully.

Implications for Microsoft, AWS, and Rivals​

For Microsoft, the CMA’s twin-track approach is both a warning and an opportunity. It avoids immediate SMS designation in cloud infrastructure, which is a relief, but it opens a broad probe into the software layer where Microsoft’s ecosystem strength is most visible. That means the company faces a more nuanced regulatory threat: not just cloud pricing scrutiny, but possible limits on how it binds productivity, operating system, database, security, and AI services together.
AWS emerges from the decision in a slightly different position. It secured a commitment-based resolution in cloud, but it was not singled out for a new software probe of equivalent breadth. That may reflect the fact that AWS’s core business is more infrastructure-centric and less tied to desktop productivity ecosystems. Still, its scale and centrality to cloud infrastructure mean it cannot assume that the softer treatment will last if compliance disappoints or if the market keeps consolidating.

The challenger perspective​

For smaller cloud providers, the decision is a mixed bag. On the positive side, reduced friction around migration and multicloud management could make it easier to win customers who previously assumed switching was too painful. On the negative side, voluntary commitments may not go far enough to change the underlying economics that keep hyperscalers ahead. In a market where infrastructure scale matters, challengers often need more than better rules; they need a genuine redistribution of bargaining power.
That is why rivals have strong incentives to keep pressing for binding remedies and clearer enforcement. If the CMA’s commitments prove durable, they may still produce real competitive openings. If they prove thin, the largest firms will have bought time at relatively low cost. Either outcome matters because cloud competition is increasingly inseparable from the future structure of AI and enterprise software.

• Microsoft faces the broader risk of ecosystem scrutiny.
• AWS benefits from avoiding a tougher immediate designation.
• Smaller rivals need the remedies to be practically usable, not just formally available.
• AI distribution could become the next battleground.
• Multicloud tools may create openings, but not equalize the market.

Strengths and Opportunities​

The strongest argument in favor of the CMA’s approach is that it identifies the right pressure points without overcorrecting. Cloud markets are technically delicate, and a badly designed remedy could create security, resilience, or compliance problems that hurt customers more than incumbents. The commitments also align with broader international policy trends, which increases the odds that firms will actually implement them rather than treat them as a local anomaly.
More importantly, the Microsoft probe shows that the regulator has not lost sight of the larger ecosystem picture. The chance to separate genuine interoperability reform from superficial compliance is real, and the UK could still build a useful model for how to regulate cloud and AI-adjacent software together. If the CMA follows through, this could become a benchmark case for layered digital market regulation.

• Reduced egress fees can make switching more affordable.
• Better interoperability can support multicloud resilience.
• Standardized documentation can improve transparency.
• The Microsoft probe may address broader ecosystem lock-in.
• UK policy could influence international practice.
• Enterprise buyers may gain more negotiating leverage.
• AI integration is being examined before it becomes fully entrenched.

Risks and Concerns​

The biggest risk is that voluntary commitments will not materially change the market. Providers can comply in form while preserving enough complexity to keep switching difficult, especially for customers with legacy architectures. If that happens, the CMA will have spent years producing a policy outcome that looks active but changes little on the ground.
There is also a risk that the Microsoft investigation becomes too broad to bite. When regulators spread their attention across too many adjacent products, remedies can become vague, administratively burdensome, or legally contestable. The challenge is to target the places where ecosystem leverage is actually exercised, rather than trying to regulate every adjacent feature at once.

• Voluntary commitments may be too soft to change behavior.
• Compliance could become a box-ticking exercise.
• Broad probes risk producing vague remedies.
• Delays may allow further market concentration.
• Public sector procurement can keep reinforcing incumbency.
• AI bundling could outrun the regulatory timetable.
• The CMA’s credibility depends on visible follow-through.

Looking Ahead​

The next six months will be crucial because the CMA plans a review of progress on the commitments, and that review will reveal whether the firms are treating this as a genuine operating change or a temporary compliance exercise. The Microsoft SMS investigation will also begin to shape expectations about how far the UK is willing to go on bundling, interoperability, and AI-infused workplace software. If the CMA signals seriousness early, it may influence behavior well before final decisions land.
The wider policy environment will matter just as much. The EU’s cloud and digital market actions are likely to keep pressuring major providers to standardize switching and interoperability tools across jurisdictions. That could accelerate reform in the UK even if the domestic process remains cautious. In other words, the biggest external force on the CMA may not be political criticism at home, but regulatory momentum abroad.

• The six-month review will test whether commitments are real.
• The Microsoft probe may define the next phase of UK digital regulation.
• EU decisions could accelerate UK-aligned reforms.
• Enterprise buyers should watch for changes in migration costs.
• Cloud vendors will likely adjust products to avoid stronger future rules.

This is ultimately a story about whether regulators can keep pace with the way digital power now works. Cloud dominance is no longer just about storage and compute; it is about the control points that shape enterprise behavior, AI distribution, and the practical ability to leave one ecosystem for another. The CMA has chosen a cautious first move, but the real test will be whether that caution produces durable competition or merely a more polite version of the same old lock-in.

---

Source: techpolicy.press UK Regulator Probes Microsoft While Backing Voluntary Cloud Rules