Cloud Services Face Scrutiny Under the Digital Markets Act

Megan Kirkwood is a fellow at Tech Policy Press.

Today, European authorities announced three new market investigations into cloud-computing services under the Digital Markets Act (DMA), as EU leaders gather in Berlin for the Summit on European Digital Sovereignty — an event billed as a push for an “independent, secure and innovation-friendly digital future for Europe.” Two investigations will assess whether Amazon Web Services (AWS) and Microsoft’s Azure should be designated as gatekeepers, despite apparently “not meeting the DMA gatekeeper thresholds for size, user number and market position.” A third investigation is to assess if the DMA is best placed to “effectively tackle practices that may limit competitiveness and fairness in the cloud computing sector in the EU.”

How do the gatekeeper investigations work?

Under the DMA, companies that provide “core platform services,” including social networks, app stores, advertising networks, browsers, intermediation services, operating systems, video sharing platforms, search, cloud computing, virtual assistants and messaging services, must notify the Commission if they meet the annual turnover thresholds specified in the law. The Commission then has 45 working days to decide whether to designate one or more core platform services as a gatekeeper.

It considers whether the company holds an entrenched position and if it is an important gateway for business users to reach end users. This has proven key in the designation process. For example, although the social networking app X notified the Commission that it met the turnover threshold, the Commission concluded that X is not an important gateway for businesses and did not designate it under the law.

However, Article 3(8) of the DMA also offers the possibility to designate a gatekeeper that does not meet the threshold but still has a significant impact on the European internal market, serves as an important gateway for business users to reach end users, and enjoys an entrenched and durable position, or is expected to soon. In such cases, the Commission must investigate whether to designate the gatekeeper and determine which core platform services should be included. The investigation can last up to one year, though the Commission is expected to give its preliminary findings on whether designation is likely during the process.

The absence of a cloud gatekeeper, despite cloud’s status as a core platform service, has long been questioned. Samuel Stolton reported for Bloomberg that:

To date, the world’s largest cloud providers have avoided the DMA because a large part of their business comes via enterprise contracts, making it difficult to count the number of individual users, one of the EU’s main benchmarks for earmarking Silicon Valley services for extra oversight.

However, interest and pressure to designate cloud under the DMA have grown, and the Commission has also sought feedback on potentially bringing artificial intelligence applications under the law.

Why is this important?

US hyperscale cloud providers — Amazon, Microsoft, and Google — hold more than 65% of the EU market. Meanwhile, “the market share of EU providers has shrunk. Between 2017 and 2020, it fell from 26 percent to 10 percent, cumulatively,” according to Francesco Bonfiglio, former chief executive of Gaia-X, an association created to develop decentralized networks of cloud computing services across the European Union. Cloud computing has become a near-essential service for the public, private businesses, and public institutions. Recent global cloud outages have underscored cloud's role as public infrastructure and the central position of hyperscaler providers.

Europe is increasingly concerned about data security and sovereignty, spurred in part by the Trump administration’s ongoing hostility to the EU and the powers granted by the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which allows US law enforcement to obtain data stored abroad, even data concerning non-US citizens. Fears of a potential “kill switch” have pushed digital sovereignty up the EU agenda, with some member states switching away from the biggest cloud providers and adopting European alternatives.

However, to switch away from US providers at scale may require competition law enforcement and regulation. The European Commission has passed the Data Act, which requires cloud providers to eliminate switching charges by 2027 and bans “technical, contractual and organisational obstacles’ to switching to another provider.” Major cloud providers have already reduced switching fees in response.

Other obstacles to cloud switching, which the Data Act does not address, include the “broad product portfolios of Microsoft, AWS and Google”, which bundle cloud with a variety of connected services, creating significant lock-in. In a review of the DMA, the civil society group ARTICLE 19 highlighted the issue of a “hyper-scaler bundling its cloud services with some of its most widely used software products services at prices independent providers cannot match.”. The DMA could address this by applying rules that prohibit self-preferencing or tying services together, though ARTICLE 19 recommends adjustments to more clearly target unfair practices by large cloud providers.

Whether such adjustments are needed is part of the investigation opened by the Commission, which may propose an update of the DMA obligations for cloud. That investigation must conclude within 18 months. The Commission will consider if the DMA sufficiently addresses “obstacles to interoperability between cloud computing services, limited or conditioned access for business users to data, tying and bundling services, and potentially imbalanced contractual terms.”

ARTICLE 19 said the investigation is “an important reminder that the EU legislator always intended the DMA to be forward-looking and therefore equipped the Commission with substantial powers of adjustment.” The group also recommends amending the DMA to include AI-related services.

Rebalance Now, a German anti-monopoly non-profit, also supported the investigations in a written statement from Aline Blankertz, Tech Economy Lead:

These DMA market investigations are the only element of the digital sovereignty announcements that show that the EU still wants to act on the vast concentration of power by Big Tech, and that the cloud sector is a key area of concern. Extending the DMA to cloud services is an important step towards limiting Big Tech’s anti-competitive practices. The Commission should aim to complete the investigations as quickly as possible ahead of the 12-/18-months timeline. Besides, more action under Article 102 against the abuse of dominance is necessary to avoid being tied to the narrower DMA framework.

Max von Thun, Director of Europe & Transatlantic Partnerships for the Open MarIkets Institute, also applauded the investigation, noting the non-profit “has long called for dominant cloud computing providers to be designated under the DMA, given their widely-documented use of unfair and anti-competitive tactics to lock out rival providers and lock in their customers.” Thun urged the Commission to use all available legal tools to break “Big Tech’s suffocating grip on Europe’s cloud infrastructure.”

However, Dr. Christophe Carugati, a digital and competition expert at Digital Competition, criticized the investigation, arguing that it shifts the DMA’s purpose away from being “a legal tool designed to address specific, identified competition concerns, but increasingly a political tool aimed at supporting the development of a European industry.” Others warn that without intervention, the cloud sector will remain concentrated, allowing cloud giants to dictate the terms of access to essential technology and control entire digital ecosystems through financial and technological lock-in.