What the EU Needs to Do to Challenge Big Tech Cloud Dominance

The European Union has a cloud infrastructure problem. Its dependency on a few, US-based companies raises security, economic, and democratic concerns. The EU’s approach has been one of favoring the market and introducing standards to avoid the worst consequences of this dependency. We believe the EU’s efforts are in the right direction, but that some targeted improvements are necessary to ensure their success. Due to the urgency of the problem and the current attention given by the European Commission to its digital strategy, the priority should be relatively shorter-term and clearly achievable solutions.

Although ethereal sounding, the cloud is a very real infrastructure that powers everything from government to healthcare to law enforcement applications, and that has major geopolitical implications. In the lead-up to the Open Markets Institute’s recent report, Engineering the Cloud Commons, the European Policy Centre and OMI held an expert roundtable to bring together researchers, policymakers, and civil society actors to discuss the issues specific to the EU and what can be done about them.

The cloud infrastructure market today is extremely concentrated. In Europe, just three companies — Microsoft, Amazon, and Google — hold 72 percent of the market share. Part of this is due to a natural monopoly characterized by high barriers to entry and economies of scale. Building the physical infrastructure required to operate a cloud entails, at a minimum, hundreds of millions of dollars in investment in data centers, practical know-how, and relationships with independent service vendors that can take years to build.

However, the Big Tech companies that dominate the space have exacerbated the problem, concentrating power even further. They have engaged in anticompetitive behaviors, ranging from restricting the interoperability of their cloud platforms to offering discriminatory pricing to undercut rivals, to charging high and arbitrary “egress fees” to port data out of their clouds.

The threats posed by this concentration go far beyond bad outcomes for consumers. Since the cloud is the backbone of our modern society and economy, market failure in the cloud can pose national security risks and contribute to the degradation of data privacy. Fewer cloud providers means that a single failure (deliberate or not) could simultaneously affect several critical services, similar to the Crowdstrike incident or AWS outages. But this reliance on US cloud providers is especially dangerous for the EU. US laws such as the CLOUD Act and FISA allow the US government to access data held by US service providers regardless of where it is stored. These threats led to concerns that the US might pressure its companies to discontinue their services to institutions like the International Criminal Court.

Concentration in the cloud also poses threats to democracy and sovereignty. As tech companies become increasingly powerful, bolstered by the profitability of their cash cows, they can exert more influence on the state through lobbying, challenging court decisions, and even outright ignoring enforcement. This threatens sovereignty everywhere, as states become hesitant to make decisions that would endanger relationships with the cloud providers on which they depend so heavily. Cloud providers could make unilateral decisions to shut off access to dissidents or anyone else they choose, effectively amounting to censorship and restricted freedom of expression.

Fortunately, the EU has already taken laudable actions towards addressing such a complex problem. The Digital Markets Act (DMA) and Data Act (DA) were written to address some of the incumbents’ anticompetitive practices beyond existing EU competition law. Moreover, laws like the General Data Protection Regulation (GDPR) and the Network and Internet Services (NIS2) Directive introduce privacy and cybersecurity standards for cloud providers, among others. However, current solutions fall short. Although the DMA was clearly written with the cloud in mind, no cloud provider is currently regulated by it. As for the DA, it has put significant pressure on the tech giants to eliminate egress fees, but barriers to interoperability remain, and the legislation does not address the full scope of activities through which Big Tech maintains its dominance in the cloud.

We recommend that the European Commission classify cloud providers as gatekeepers under the DMA. While there may be some difficulties in classifying cloud providers as gatekeepers under the DMA, the law was clearly written with the cloud in mind, and it categorises cloud technologies as core platform services. This modification, also proposed by the European Parliament’s Internal Markets and Consumer Protection (IMCO) Committee, would help address several competitive concerns like self-preferencing, using data from businesses that rely on the cloud to compete against them, or disproportionate conditions for termination of services.

Such actions must be implemented in concert with other initiatives, such as a common marketplace for cloud services. The idea of a cloud marketplace has already been put forward by the European Commission and by the European Alliance for Industrial Data, Edge, and Cloud to “enable the entry into the market of a more diverse set of cloud service providers”. But currently, there is no binding requirement for cloud providers to sell their services through the marketplace. Given the history of Big Tech firms providing substantially different prices and discounts to similar customers, we suggest making participation in the cloud marketplace compulsory and strengthening transparency requirements for prices, service levels, sustainability, and other dimensions to allow hyperscalers and smaller players to compete on various aspects. One expert from the OMI roundtable remarked that public procurement could be used as a lever to require procuring agencies to use a marketplace to shop for cloud options, including Big Tech offerings, but also clouds from smaller players and European businesses.

We aim to present two shorter-term, relatively straightforward solutions to the concerns arising from the cloud market, in line with the European Commission’s objectives. However, given the large economies of scale and high upfront sunk costs involved in developing cloud infrastructure, it may be necessary to regulate cloud providers like public utilities or public services. This should only be necessary if regulation like the DMA proves ineffective at preventing the manipulation by cloud providers of downstream markets that rely on cloud infrastructure. In that case, a more drastic remedy, such as accounting separation, may be warranted. However, as one of the experts we consulted argued, this policy can be challenging to enforce in cases where there are significant shared costs between the public service and commercial services.

All in all, the EU has been right in favoring market contestability and preventing market manipulation by the dominant players in the cloud infrastructure market. But despite its good intentions, legislation like the DMA won’t be effective unless the Commission identifies cloud providers as gatekeepers. As for the idea of a European cloud marketplace, unless dominant players are required to participate, unfair pricing could still occur. We need to act now, while the Union’s digital strategy is being rewritten. If we don’t, Europe’s security, critical infrastructure, democracy, and the future of its AI industry may be determined by a handful of companies.