Can Europe’s Digital Markets Act and Data Act Rein in Cloud Hyperscalers?

This post is part of a series of provocations published in Tech Policy Press following the third iteration of a Digital Markets Act (DMA) enforcement symposium hosted in Brussels on November 20 and 21 by the free-speech organization ARTICLE 19 in partnership with the Center for Digital Governance at the Hertie School, the University of Trento, the Amsterdam Center for European Law and Governance and the University of Namur.

Cloud computing has become a foundational layer of the digital economy, underpinning everything from data storage and enterprise IT to the training of generative AI models. Its centrality has also concentrated power: today, just three hyperscalers — Amazon Web Services, Microsoft Azure, and Google Cloud Services — control more than three-quarters of the global market for public cloud computing.

In the European Union, this concentration has brought cloud services firmly into the scope of digital regulation. Cloud computing is designated as a core platform service under the Digital Markets Act (DMA), and in November, the European Commission opened market investigations to assess whether Amazon Web Services and Microsoft Azure should be formally designated as such. At the same time, the Data Act introduces a parallel set of rules aimed at improving data portability, interoperability, and switching between cloud providers.

Contestability in cloud computing is not solely a question of competition law, but also one of digital sovereignty and innovation. In this article, I examine how the DMA and the Data Act approach cloud market power from different regulatory angles, and evaluate the extent to which these instruments can mitigate competition concerns — while also highlighting their limits.

Competition in the Clouds: Why?

Cloud is the basic infrastructure, wherein generative AI models are trained and undertakings, whether a small and medium organization (SME) or a large multinational firm, use it for storing their data, and meet their IT requirements. Cloud is not one homogeneous product. There are many models of cloud as a service.

The three commonly accepted forms of cloud as a service are Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). When undertaking the use of cloud to outsource their IT requirements, or when cloud is used to train a Large Language Model (LLM), such as ChatGPT, cloud is deployed at the infrastructure level, that is, the level of IaaS and PaaS. Further, cloud deployment may be public, private, or mixed. It is the public deployment of cloud at the infrastructure level that has attracted the attention of leading competition authorities, such as the Dutch Autoriteit Consument & Markt (ACM), the French Autorité de la Concurrence (AdlC), and the UK Competition and Markets Authority (CMA).

Considering the centrality of cloud to our daily digital lives, and the fact that only three firms in the world, namely, Amazon Web Services (AWS), Microsoft Azure and Google Cloud Services (GCS), together known ashyperscalers, control over three-fourths of the global market for public cloud computing, fairness, contestability and competition in the cloud is crucial to ensure digital sovereignty.

Cloud exhibits certain atypical economic and technical characteristics that work to the advantage of the hyperscalers. These characteristics include path dependence, learning effects, early mover advantage and the ecosystem effects in the cloud, which further reinforce the path dependence and learning effects in the cloud. Additionally, limited data portability, interoperability, low (or no) ingress but high egress fees and free cloud credits by the hyperscalers lock in the user to a given cloud. Given the substantial infrastructure commitment, the initial choice of a cloud service provider may irreversibly lock an undertaking into a given provider.

Competition in the Clouds: How?

In the European Union, the DMA and the Data Act are the two key instruments that, as the following discussion reveals, can help promote competition in the clouds.

Cloud computing services qualify as a core platform service (CPS) under the DMA. Even though the Commission initially hesitated to qualify the hyperscalers’ cloud services as CPS, following calls from academics and industry, the Commission recently initiated market investigations to assess whether Azure and AWS can be classified as CPS under the DMA.

The Commission had so far refrained from qualifying the hyperscalers’ cloud as a CPS, as cloud, unlike digital multi-sided platforms, does not facilitate transactions between business and end users. Therefore, it emerged that the quantitative thresholds under Article 3(2)(b) and the corresponding methodology for cloud as offered in Annex E of the DMA could not be met. A logical follow-up question is why, and how did the Commission then catalogued cloud computing services as a CPS under Article 2(2)(i) of the DMA. To answer this, I look at the Commission’s Staff Working Document – Impact Assessment Report (SWD-IAR). A perusal of the SWD-IAR reveals that the Commission uses the term ‘cloud’ over ‘twenty-six’ times, and each time the term is used, it is mentioned in the context of an ecosystem. It is this ecosystem-driven view that helps appreciate that cloud, when offered by a vertically integrated digital platform that provides an ecosystem of services and also qualifies as a gatekeeper under the DMA, can raise fairness and contestability concerns.

A quantitative approach is static and may fail to take into account broader policy concerns. A qualitative approach can better accommodate innovation in cloud computing. Furthermore, even if the cloud were designated as a core platform service under the DMA, the relevant obligations may still be insufficient, as the cloud is subject to a very restrictive set of obligations under the DMA.

Following the designation of cloud, the next consideration is what are the relevant obligations on the cloud? Obligations vary by the CPS, and in case of cloud, the obligations are limited only to Article 5(2) [limited to 5(2) (b), (c) and (d)], 5(6), 5(7), 5(8)], and Article 6(2), 6(5), 6(6), 6(9), 6(10) and 6(13). These are a very limited set of obligations, when compared with, for example, the obligations on search engines under the DMA. To offer a more thorough picture, in the discussion, I also look at the Data Act, which has two chapters, VI and VIII, that respectively seek to ensure ‘switching’ and ‘interoperability’ between clouds.

Commission’s November 2025 Digital Omnibus package further streamlines these measures by relaxing certain strict requirements for SME cloud service providers, and by sharing draft non-contractual terms for Cloud Computing Contracts under the Data Act.