The European Commission has launched a landmark regulatory offensive against the cloud computing industry's dominant players, opening formal market investigations into Amazon Web Services (AWS) and Microsoft Azure while simultaneously testing whether the Digital Markets Act (DMA) can effectively regulate hyperscale cloud infrastructure. This three-pronged approach represents Brussels' most ambitious attempt yet to address what regulators perceive as systemic risks in Europe's digital infrastructure, combining competition policy with digital sovereignty and resilience planning in a move that could reshape cloud markets for years to come.

The Regulatory Landscape: DMA's Powerful Enforcement Arsenal

At the heart of these investigations lies the Digital Markets Act, Europe's ex-ante competition framework designed to prevent digital gatekeepers from abusing their market positions before harm occurs. The DMA carries formidable enforcement powers that could significantly impact cloud providers: fines up to 10% of worldwide turnover for first infringements and up to 20% for repeated violations, plus periodic penalties and, in extreme cases, behavioral or structural remedies. According to European Commission guidance, these measures are intended to create a level playing field in digital markets where a few dominant players have established what regulators view as unassailable positions.

The Commission has signaled it intends to complete these inquiries within approximately 12 months, allowing for detailed technical evidence gathering, stakeholder consultations, and potential remedy development if investigations uncover actionable concerns. This timeframe reflects both the complexity of cloud infrastructure markets and the urgency with which European regulators are approaching what they see as critical vulnerabilities in the continent's digital ecosystem.

Three Parallel Investigations: A Comprehensive Regulatory Approach

The European Commission's approach is notably comprehensive, consisting of three distinct but related investigations:

  • Two focused market investigations targeting AWS and Microsoft Azure specifically, examining whether their cloud offerings and business practices meet the DMA's gatekeeper functional and economic tests
  • A third, horizontal probe assessing whether the DMA's existing toolbox—originally drafted for consumer-facing platforms like app stores and search engines—is appropriate for infrastructure markets with different metrics, technical primitives, and procurement realities

This structure acknowledges the unique characteristics of cloud infrastructure while maintaining pressure on the market's dominant players. As noted in the WindowsForum discussion, "The Commission has signalled it intends to complete these inquiries within a roughly 12-month timeframe, allowing for detailed technical evidence, stakeholder consultations, and potential remedies if the investigations find actionable concerns."

Core Lines of Inquiry: The Technical and Commercial Friction Points

Investigators are focusing on several structural and behavioral mechanics that regulators believe create effective switching costs and favor incumbents:

Data Portability and Egress Pricing

One of the most significant concerns centers on data egress fees—charges customers pay to move data out of a cloud provider's ecosystem. According to the original source, "The CMA's report showed that these companies were charging customers expensive fees called 'egress fees' just to move data out of their cloud." These fees, combined with technical obstacles, can make migration slow, risky, and prohibitively expensive for many organizations.

Self-Preferencing and Bundling Practices

Regulators are examining whether first-party managed services, marketplaces, or performance priorities privilege the host provider's ecosystem over third-party rivals. This includes concerns about how cloud providers might advantage their own services within their marketplaces or through preferential technical integration.

Licensing and Commercial Conditions

Differential pricing or licensing that makes running the same workload on competing clouds materially more expensive represents another key area of investigation. The original source specifically mentions "licensing practices that made it more expensive to run Microsoft software on rivals' platforms," highlighting how software licensing can create artificial barriers to multi-cloud strategies.

Interoperability and Control-Plane Access

Proprietary APIs, runtime primitives, or control-plane features that effectively lock workloads into specific cloud environments are under scrutiny. The lack of standardized interfaces between cloud providers can create significant technical barriers to migration and multi-cloud operations.

Operational Resilience and Systemic Risk

Perhaps most fundamentally, regulators are concerned about whether market concentration creates fragility that threatens public services and critical infrastructure. As noted in the original source, "Major cloud outages over the last year have exposed the risks of overreliance on just a few providers. The EU worries that if the cloud market remains consolidated, any disruption to operations would be felt widely."

Why Now? The Convergence of Political, Economic, and Technical Drivers

Several converging factors have pushed cloud regulation to the top of Brussels' agenda:

Market Concentration and Scale Advantages

Independent market trackers consistently show AWS, Microsoft, and Google Cloud accounting for a dominant share of public cloud spending across European markets. This concentration manifests as scale advantages, network effects, and long time horizons that favor incumbents, creating what some regulators view as durable barriers to competition.

High-Impact Outages and Systemic Dependencies

Recent, widely publicized outages at hyperscalers have exposed how dependent downstream services—including public institutions and critical business systems—have become on a handful of cloud primitives. As the original source documents, "AWS suffered a 15-hour outage in October that affected companies including Apple and McDonald's. Microsoft Azure experienced a glitch that disrupted airline check-ins, and Google Cloud has also gone offline for some high-profile clients." These incidents have reframed cloud from a commercial convenience to systemic infrastructure in regulators' eyes.

The AI Accelerant and Deepening Lock-In

Generative AI and large model workloads are dramatically increasing demand for specialized compute, proprietary stacks, and vendor-specific accelerators. This trend is deepening lock-in effects and raising the strategic stakes of cloud competition, as organizations become increasingly dependent on specific hardware and software ecosystems for their AI initiatives.

Digital Sovereignty as a Cross-Cutting Policy Goal

EU policymakers have elevated "digital sovereignty" as a fundamental objective, aiming to ensure that public services, critical infrastructure, and AI supply chains can rely on verifiable, contestable platforms that meet European legal and security norms. This political dimension adds significant weight to the technical and economic considerations driving the investigations.

The DMA presents several legal challenges when applied to cloud infrastructure markets. Originally designed around quantitative thresholds (user counts, market capitalization) and functional tests tailored to consumer-facing core platform services, mapping this framework onto cloud—where "users" are enterprise customers, and "services" may be IaaS/PaaS primitives with different performance semantics—requires careful legal and technical analysis.

Key questions the Commission must resolve include:

  • What constitutes a "core platform service" in the cloud context? Is IaaS/PaaS functionally equivalent to app stores or search from a gatekeeper perspective?
  • How should the DMA's quantitative thresholds be applied to enterprise cloud contracts, indirect markets (ISVs, marketplaces), and AI-specific infrastructure?
  • What remedies can be both enforceable and technically feasible without undermining the performance and security that large-scale clouds deliver?

As the WindowsForum discussion notes, "If the Commission decides the DMA is applicable, possible outcomes range from targeted obligations (non-discrimination, portability tech standards, egress transparency) to full gatekeeper designation with mandatory behavior rules and large financial penalties for non-compliance."

Industry Response and Technical Trade-Offs

Cloud providers are likely to contest the premise that scale equals anti-competitive conduct, emphasizing several key arguments:

Consumer and Customer Benefits from Scale

Hyperscalers will highlight the benefits their scale delivers: lower prices through economies of scale, global availability through extensive infrastructure networks, and rapid innovation through massive R&D investments. They'll argue that these benefits would be difficult to maintain under certain regulatory constraints.

Investment and Security Trade-Offs

Providers will likely warn that imposing structural or technical constraints could raise costs and slow capacity investment in Europe, potentially undermining the continent's digital competitiveness. They may also argue that certain interoperability requirements could create security vulnerabilities.

Technical Feasibility Concerns

Specific technical concerns include potential performance penalties from mandated interoperability layers, increased security surface area from deeper control-plane access requirements, and the practical challenges of creating cross-provider standards for complex services like managed databases or AI stacks.

The WindowsForum discussion captures these tensions well: "Those risks are frequently cited by industry and technical experts—and they are real. Policymakers must balance them against the clear harms of concentration and lock-in. The art of regulation here will be precise, technical, and iterative."

Practical Implications for Enterprise IT Leaders

Regardless of the investigation outcomes, enterprise IT leaders should view this regulatory shift as an opportunity to strengthen their cloud strategies and reduce vendor dependencies. Several practical steps can help organizations prepare for potential market changes:

Assess Exit Readiness and Migration Costs

Organizations should inventory their dependencies on provider-specific managed services and estimate realistic migration costs, including egress fees, re-engineering efforts, and performance testing requirements. This assessment provides crucial leverage in contract negotiations and strategic planning.

Negotiate Stronger Contractual Exit Terms

Enterprises should push for clearer egress pricing, data export guarantees, and technical migration support in their cloud contracts. As regulatory pressure increases, providers may become more willing to offer favorable terms in these areas.

Design for Portability from the Start

Architectural decisions favoring containerized workloads, open runtime APIs, and infrastructure-as-code templates can significantly reduce migration friction. The WindowsForum discussion recommends "Favor containerised workloads, open runtime APIs, and terraform-style IaC templates that facilitate lift-and-shift."

Implement Robust Encryption and Key Management

Using customer-managed keys and strict key-rotation practices ensures data remains portable and under enterprise control, regardless of regulatory outcomes or provider changes.

Conduct Operational Migration Testing

Regular real-world migration and failover drills—not just tabletop exercises—help validate assumptions under load and identify potential technical or operational barriers before they become critical issues.

Likely Regulatory Outcomes and Their Implications

Based on the investigations' scope and the DMA's enforcement framework, several potential outcomes appear possible, ranging from targeted interventions to more comprehensive regulatory approaches:

Outcome Likelihood Regulatory Approach Key Characteristics
Most Probable Targeted Technical Obligations Specific requirements on data portability, egress transparency, and non-discrimination between first-party and third-party services; fine-tunable and designed to avoid forcing wholesale architectural changes
Moderately Probable Partial DMA Designation Designation of discrete cloud offerings (managed marketplaces, identity fabrics) as regulated core platform services rather than treating entire cloud stacks as gatekeeper services
Possible Sectoral Hybrid Approach Combination of DMA-style obligations with sectoral rules (Data Act, AI Act) to create cross-cutting obligations for cloud providers serving critical infrastructure
Less Likely Competition Law Remedies Only Targeted enforcement under traditional antitrust law focused on particular contractual or pricing abuses, rather than ex-ante obligations
Least Likely (Near Term) Structural Remedies or Divestitures Only if systematic, repeated non-compliance is found; remains a remote but powerful threat given DMA enforcement language

The Broader Context: UK Coordination and Global Implications

The European investigations don't exist in isolation. As the original source notes, "UK regulators are launching investigations into cloud service providers over non-compliance with its rules on market competition." In July 2025, the UK's Competition and Markets Authority concluded its own market investigation, finding "significant unilateral market power" for both AWS and Microsoft and ultimately designating them with Strategic Market Status under the UK's new digital markets framework.

This transatlantic regulatory coordination could amplify Brussels' options or, conversely, create divergent remedies that complicate compliance for global cloud providers. The investigations also have implications for global trade and tech diplomacy, potentially creating friction between European regulators and U.S.-headquartered hyperscalers.

Looking Ahead: A High-Stakes Regulatory Laboratory

The next 12 months will see intense technical debate, legal contestation, and political maneuvering as these investigations progress. Key milestones to watch include:

  • Formal Commission notices and requests for information that clarify the legal theory of harm
  • Stakeholder consultations and DMA compliance workshops where technical details are debated
  • Evidence submissions from cloud customers and competitors that shape remedial options
  • Potential interim measures if operations are judged to pose immediate systemic risks

As the WindowsForum discussion concludes, "The probes are a live, high-stakes laboratory for how democratic states can govern digital infrastructure in an era of AI and hyperconsolidation. The decisions that follow will ripple through procurement desks, data centres and development roadmaps for a decade."

For enterprises, the prudent path forward involves strengthening portability, renegotiating contracts, and operationally validating alternative paths. For policymakers, the challenge will be designing precise, enforceable measures that enhance market contestability without producing unintended systemic costs or undermining the performance and security benefits that have made cloud computing transformative for businesses worldwide.