Decoding the world of cybersecurity

EU targets AWS and Azure under DMA

The European Commission’s preliminary move to bring AWS and Azure under the Digital Markets Act brings cloud concentration, enterprise dependency, and infrastructure switching into regulatory focus.

EU targets AWS and Azure under DMA
Summary
  • The Commission has informed Amazon and Microsoft of its preliminary view that AWS and Azure should be designated under the DMA.
  • The move is not final, but would place Europe’s largest cloud platforms under additional market conduct obligations.
  • Cloud concentration now sits alongside resilience, procurement, switching power, AI infrastructure, and regulated-sector dependency.

The European Commission has taken a preliminary view that Amazon Web Services and Microsoft Azure should be designated as gatekeepers under the Digital Markets Act, extending the EU’s platform regulation agenda into the cloud infrastructure behind enterprise systems, AI workloads, and digital public services.

The Commission has informed Amazon and Microsoft that their cloud computing services, AWS and Azure, should fall under the DMA despite not meeting all of the quantitative thresholds normally used for designation. Amazon and Microsoft can respond before the Commission adopts any final decisions.

Cloud computing is now a core operational dependency for European organisations. AWS and Azure support public-sector platforms, financial services, healthcare systems, software development environments, AI infrastructure, identity services, analytics platforms, and large parts of the enterprise application estate. Market power in cloud therefore affects more than competition policy. It shapes procurement options, architecture choices, resilience planning, and the practical ability to move workloads when risk or regulation changes.

The Commission has published a Digital Markets Act notice on the preliminary position, saying AWS and Azure are the largest and second largest cloud services in the EU and act as important gateways between businesses and customers.

If AWS and Azure are ultimately designated, the effect will depend on the obligations imposed and how they are enforced. The DMA is designed to prevent gatekeepers from using entrenched platform positions to distort competition. In cloud markets, that can touch switching, portability, interoperability, commercial terms, data movement, and the ability of customers and software providers to avoid deep platform lock-in.

Those issues increasingly overlap with cyber and operational resilience. Cloud exit plans are often written into risk frameworks, but they can be difficult to execute when applications depend on proprietary services, identity integrations, managed databases, observability tooling, and platform-specific security controls. A procurement decision made for speed or engineering convenience can become a long-lived resilience constraint.

Regulated sectors already face pressure to understand concentration risk across critical third parties. Financial services firms in the EU are moving through the Digital Operational Resilience Act, while NIS2 has expanded attention on essential and important entities across sectors. In both cases, boards and risk owners are expected to understand how third-party technology dependencies could affect continuity, incident response, and service recovery.

The cloud market is also being reshaped by AI. Model training, inference, data pipelines, and enterprise AI products depend heavily on hyperscale infrastructure. As organisations add AI workloads to existing cloud estates, bargaining power, portability, and security architecture become more connected. An organisation that cannot easily move workloads may also struggle to change security tooling, identity design, data residency arrangements, or operational controls when its risk profile changes.

The Commission’s preliminary view does not amount to a finding that AWS or Azure has breached the DMA. It does place Europe’s largest cloud services inside a regulatory process that could reshape how enterprise customers, software vendors, and public bodies think about infrastructure dependency.

Cloud resilience is still built in architecture, contracts, recovery testing, and identity design. Regulation may improve market conditions over time, but organisations still need to know which services they can move, which ones they cannot, and where dependency has hardened into operational exposure.

×