The Digital Markets Act, Regulation (EU) 2022/1925, is a binding EU law that imposes ex-ante obligations on large digital platforms designated as gatekeepers. In November 2025 the European Commission opened three formal market investigations specifically targeting cloud computing services, examining whether providers such as Amazon Web Services and Microsoft Azure meet the criteria for gatekeeper designation and whether their current practices already breach obligations that would attach upon designation. For regulated organisations across the public sector, finance, healthcare and legal services, these investigations are not an abstract regulatory event: they directly affect the legal architecture of every long-term cloud contract being signed today.
What Triggered the November 2025 Cloud Investigations
The Commission launched the investigations after sustained market-monitoring work by the DG COMP and DG CONNECT Joint Enforcement Team concluded that cloud infrastructure and platform services show the structural characteristics the DMA was designed to address.
Three interlocking concerns drove the decision to open formal proceedings. First, concentration: ENISA’s 2023 Cloud Cybersecurity Market Analysis found that three US-headquartered providers control approximately 69% of the European cloud market. Second, switching friction: providers bundle compute, storage, networking, identity management and AI tooling in ways that make disaggregation technically and commercially punishing. Third, data gravity: once an organisation’s data, application state and operational logs reside inside a hyperscaler’s proprietary ecosystem, replication costs, egress fees and API incompatibilities function as structural exit barriers even when no contractual lock-in clause exists.
The investigations examine specific practices: preferential pricing for customers who consume multiple services from the same provider exclusively, technical incompatibilities between proprietary container orchestration and third-party platforms, and the structure of egress fees that make genuine multi-cloud or hybrid-cloud operation economically irrational. These are precisely the patterns that Articles 5 and 6 of the DMA were designed to prohibit for designated gatekeepers.
Which DMA Obligations Would Follow Gatekeeper Designation
If the Commission designates AWS or Azure as gatekeepers for cloud infrastructure or platform services, a structured set of obligations under Articles 5, 6 and 7 of Regulation (EU) 2022/1925 would apply immediately upon designation.
Anti-tying under Article 5
Article 5 prohibits gatekeepers from requiring business users to use, offer or interoperate with the gatekeeper’s own services as a condition of access to the core platform service. In cloud terms, this would make it unlawful for AWS to condition favourable Reserved Instance pricing on exclusive use of AWS identity services, or for Azure to require customers to use Azure Active Directory as a condition of accessing discounted compute. Regulated organisations that have accepted such bundled pricing structures in existing contracts would gain a legal argument for renegotiation the moment designation takes effect.
Interoperability under Article 6
Article 6 obligations require gatekeepers to provide third parties with effective interoperability with the same hardware and software features available to the gatekeeper’s own services. For cloud infrastructure, this means that competing storage services, container platforms and security monitoring tools must be able to integrate with core cloud APIs on equivalent terms. The Joint Enforcement Team is specifically examining whether proprietary Kubernetes distributions, managed database APIs and machine-learning pipeline tooling are documented and accessible in ways that allow a customer to replicate their operational environment on a different provider.
Data portability under Article 6(9) and 6(10)
These sub-provisions require gatekeepers to ensure continuous, real-time portability of data generated through a business user’s use of the core platform service. For a hospital system or financial institution, this means structured export of transaction logs, audit trails, configuration states and user-generated content in standard formats without data degradation or metadata stripping. This is not merely a backup obligation: it is a live API-level requirement that the gatekeeper must maintain at no additional cost.
Interaction with the EU Data Act’s Cloud-Switching Provisions
The Data Act (Regulation EU 2023/2854) operates in parallel with the DMA but through a different mechanism. Articles 23 to 31 of the Data Act impose switching obligations on all cloud providers, regardless of gatekeeper status, covering the full spectrum from infrastructure-as-a-service to software-as-a-service.
| Instrument | Scope | Key obligation | Applies from |
|---|---|---|---|
| DMA Article 6(9)/(10) | Designated gatekeepers only | Continuous real-time data portability via API | Upon gatekeeper designation |
| Data Act Articles 23 to 31 | All cloud providers in the EU | Contractual exit rights, zero egress fees by January 2027, technical portability guarantees | September 2025 (phased) |
| GDPR Article 20 | Personal data controllers and processors | Right of data portability for data subjects in structured, machine-readable format | May 2018 |
The Data Act’s requirement to eliminate switching fees by January 2027 is already in force for contracts entered into after September 2025. For regulated organisations in finance (subject to DORA operational resilience requirements) and healthcare (subject to NIS-2 incident notification obligations), the Data Act provides an immediately enforceable contractual lever that does not depend on the outcome of the DMA gatekeeper investigations.
As the European Data Protection Supervisor stated in its supervisory opinion on cloud procurement: “Cloud providers should not be able to make it technically or commercially unreasonable for customers to switch or to combine services from multiple providers.” That principle now has statutory backing in two separate EU instruments.
Contractual and Technical Barriers Under Scrutiny
The DMA investigations are examining barriers that map precisely to the practical obstacles compliance officers encounter when they attempt to assess exit feasibility during vendor assessments.
Proprietary data formats are a primary concern. When object storage uses provider-specific metadata schemas, migration to a standards-based alternative such as S3-compatible open-source storage requires transformation pipelines that introduce both cost and data-integrity risk. The investigations are assessing whether format lock-in is a deliberate architectural choice rather than a technical necessity.
Egress fees remain the most quantitatively significant barrier. Moving one petabyte of data out of a major hyperscaler’s European region can cost tens of thousands of euros in transfer charges alone, before accounting for staff time and downtime. This structure creates an asymmetry: ingress is free, exit is expensive, which economically anchors customers regardless of their contractual right to leave.
Identity and access management interdependencies form a third category. When an organisation’s entire permission model, single sign-on infrastructure and privileged-access controls are built on a provider’s proprietary identity platform, migration requires either maintaining a parallel identity system during transition or accepting a period of reduced access control granularity. Neither option is acceptable under NIS-2 Article 21’s security requirements or DORA’s ICT third-party risk management framework.
How CISOs and Procurement Officers Should Act During the Investigation Timeline
The period between an investigation opening and a final designation decision, which under the DMA can take up to twelve months with possible extensions, is not a period of regulatory inertia. It is an opportunity to restructure contractual relationships while the hyperscalers have a strong reputational and regulatory incentive to demonstrate cooperative behaviour.
The global average cost of a data breach reached USD 4.88 million in 2024, according to IBM’s Cost of a Data Breach Report, the highest figure on record. That figure makes the cost of switching infrastructure look different when weighed against the cost of remaining locked into a non-sovereign environment that cannot be audited or exited under operational stress.
European cloud spending reached approximately 63 billion euros in 2023, with AWS and Microsoft together holding more than 50% of the European market, according to Synergy Research Group analysis. The scale of that concentration is precisely what makes the DMA investigations material: a designation decision affects the contractual rights of the majority of large European organisations simultaneously.
Concretely, CISOs should use the investigation timeline to commission a cloud exit readiness assessment: a technical and contractual audit that maps which data assets, application dependencies and identity configurations would need to be migrated, what the current egress cost would be, and which contractual clauses would need to change to make an exit feasible within a regulatory incident response window. Procurement officers should table exit-rights clauses, API documentation requirements and format-portability guarantees as standard terms in renewal negotiations, citing both the Data Act’s Article 23 to 31 framework and the pending DMA investigation as the regulatory context.
Former European Commission Executive Vice-President Margrethe Vestager made the policy logic explicit: “The Commission must ensure that large platforms do not use their market power in one area to entrench their position in related markets such as cloud computing.” That statement reflects a Commission commitment that predates the November 2025 investigations and signals that the regulatory direction of travel is not reversible regardless of individual investigation outcomes.
Organisations that treat the DMA investigation as a future regulatory event rather than a present negotiating tool will find themselves renegotiating from a weaker position once designation decisions are issued and hyperscalers move from cooperative signalling to compliance minimisation. The time to secure exit rights, portability APIs and format guarantees is during the investigation window, when regulatory pressure is highest and the cost of concessions to the provider is lowest.
FAQ
What is a DMA gatekeeper designation and does it apply automatically to AWS and Azure?
A gatekeeper designation under Regulation (EU) 2022/1925 is a formal Commission decision triggered when a platform meets quantitative thresholds (annual EEA turnover above 7.5 billion euros or market capitalisation above 75 billion euros, combined with 45 million monthly end-users) or is found to have an entrenched and durable market position. The November 2025 investigations are market investigations that precede formal designation. AWS and Azure are not yet designated gatekeepers for cloud infrastructure services; the investigations assess whether they should be, and whether their current practices already cause the harms the DMA is designed to prevent.
Which DMA obligations would be most impactful for cloud infrastructure if designation occurs?
Article 5 prohibits self-preferencing and anti-competitive tying. Article 6 requires effective third-party interoperability and continuous data portability. For regulated organisations, Articles 6(9) and 6(10), which govern real-time data portability via API and the obligation to maintain that portability at no additional cost, are the most immediately relevant. These provisions would make it unlawful for a designated gatekeeper to structure egress fees or API incompatibilities in ways that make switching economically irrational.
How does the EU Data Act reinforce the DMA’s cloud-switching provisions?
Regulation (EU) 2023/2854 Articles 23 to 31 require all cloud providers operating in the EU, not only designated gatekeepers, to offer contractual exit rights, remove switching charges by January 2027 and guarantee technical portability of data and digital assets in standard formats. Organisations can invoke these Data Act provisions in contract negotiations today without waiting for any DMA designation decision.
Can a CISO or procurement officer reference the ongoing DMA investigations in contract negotiations right now?
Yes. An open Commission investigation creates documented regulatory uncertainty for hyperscalers and strengthens the customer’s position when requesting exit clauses, API documentation and data-portability guarantees. Contracts with multi-year lock-in periods signed today may expire after designation decisions are issued; inserting clauses that automatically align with any new regulatory requirements protects the organisation without requiring the provider to concede rights it does not yet legally owe.
What enforcement body runs the DMA cloud investigations and what are its powers?
The investigations are conducted by the DG COMP and DG CONNECT Joint Enforcement Team within the European Commission. The team can compel information disclosure, conduct on-site inspections and impose interim measures to prevent harm during the investigation period. If a designated gatekeeper fails to comply with DMA obligations, fines of up to 10% of global annual turnover apply, rising to 20% for repeat infringements, with periodic penalty payments for sustained non-compliance during enforcement proceedings.
