The European Commission is preparing a formal investigation into whether Amazon Web Services, Microsoft Azure, and Google Cloud should be brought under the regulatory umbrella of the Digital Markets Act (DMA), following a series of high-impact outages that have exposed the systemic importance of hyperscale cloud providers and the practical limits of voluntary market discipline. This potential regulatory shift represents a watershed moment for cloud computing, as policymakers grapple with the concentration of critical digital infrastructure in the hands of three American technology giants.

The Outage Chronology That Triggered Regulatory Scrutiny

A cascade of major incidents throughout 2025 has brought cloud reliability and market concentration into sharp focus for European regulators. In October 2025, two separate control-plane incidents at the largest public cloud providers produced cascading outages that affected consumer applications, enterprise services, and public-sector systems worldwide.

On October 20, an AWS failure in the US-EAST-1 region—centered on DNS and DynamoDB endpoint resolution—knocked down hundreds of services and produced a long recovery tail. The incident began when DNS resolution for DynamoDB API endpoints failed, causing widespread errors across managed services that rely on that control-plane primitive. Orchestration, launch, and authentication workflows experienced high error rates, and as automated recovery and health checks ran, inconsistencies in internal state prolonged the outage, creating degraded service for many customers that lasted for hours.

Just nine days later, on October 29, a configuration error in Microsoft's Azure Front Door edge fabric disrupted Microsoft-hosted services and many third-party sites. The misconfiguration introduced an invalid state that prevented many edge nodes from loading correctly, manifesting as authentication failures, blank admin consoles, and 502/504 errors for numerous tenants. The impact was particularly severe: the Scottish Parliament suspended voting after its electronic voting system failed, while Alaska Airlines and other carriers reported customer-facing check-in and website problems that forced manual fallbacks at airports.

These incidents followed a June 2025 Google Cloud outage that originated from an invalid automated quota update in Google's Service Control system, causing external API requests to be rejected globally with 503 errors. The outage affected Google Workspace components and major third-party workloads including Spotify and Discord.

Why These Outages Matter: The New Digital Reality

These outages made plain that the modern internet relies on a relatively small set of cloud primitives—DNS, global ingress fabrics, identity, and managed databases—provided by a handful of hyperscalers. When those primitives fail, dozens or hundreds of downstream services can be impacted almost immediately. According to industry trackers, the top three providers capture approximately two-thirds of global public cloud spending, a concentration that regulators and policymakers have watched closely for several years.

Search results confirm this market concentration. According to Synergy Research Group, AWS, Microsoft Azure, and Google Cloud collectively accounted for 66% of the worldwide cloud infrastructure service market in Q4 2024, with AWS holding 31%, Microsoft 24%, and Google 11%. This dominance creates what regulators view as systemic risk, particularly as cloud platforms now host banking back-ends, airline operations, health systems, and parliamentary voting systems.

The DMA Investigation: What Regulators Are Examining

According to industry reporting relayed in the European tech press, EU officials are preparing an inquiry into whether the cloud units of Amazon, Microsoft, and Google meet the criteria for obligations under the Digital Markets Act or otherwise require tailored remedies. The focus is expected to examine whether these providers:

  • Exert gatekeeper-style market power in core cloud services
  • Use bundling or preferential treatment to favor first-party products
  • Impose switching friction through high egress costs and proprietary interfaces
  • Restrict technical interoperability and data portability for customers

These are precisely the sorts of conduct the DMA was designed to curb where a service meets the gatekeeper thresholds. The DMA, which came into full force in March 2024, aims to ensure fair and contestable digital markets by imposing obligations on large platforms designated as \"gatekeepers.\" These obligations include prohibitions on self-preferencing, requirements for interoperability, and mandates for data portability.

The Technical and Market Reality Behind Regulatory Concerns

Three converging policy concerns explain the heightened regulatory attention to the cloud \"troika\":

Market Concentration and Lock-in: Industry trackers and competition authorities repeatedly note that AWS, Microsoft Azure, and Google Cloud capture the lion's share of public cloud spending. Regulators worry that proprietary primitives, egress charges, and complex licensing create durable switching costs that lock customers into specific ecosystems.

Operational Criticality: Cloud platforms now host systems with significant societal impact. When a control-plane primitive fails, the consequences reach beyond consumer inconvenience into public-sector functioning and economic loss. This real-world criticality invites treatment more like telecoms or utilities in the eyes of some policymakers.

Digital Sovereignty Concerns: European policymakers have long worried about dependence on non-EU providers and the legal framework around extraterritorial data access (such as the U.S. CLOUD Act). Recent outages have amplified those anxieties and fed calls for either stronger regulatory constraints or the development of a European sovereign cloud stack.

What the DMA Can—and Cannot—Do for Cloud

The DMA creates a toolbox of conduct obligations for gatekeepers—large platforms that meet thresholds for turnover, user reach, and business user counts. If cloud services are designated as gatekeeper core platform services or if specific cloud firms are designated, possible Commission actions include:

  • Forcing greater interoperability or standard APIs for critical services
  • Requiring data portability guarantees with audited tools
  • Banning certain tying/bundling practices that favor first-party services
  • Mandating non-discriminatory access to aggregated or non-aggregated data generated in the course of cloud use

These are potent remedies for reducing lock-in, but they have limits. The DMA's thresholds were designed for consumer-facing platforms and use metrics like monthly active end users—measures that don't map cleanly onto enterprise cloud contracts and infrastructure. That's one reason cloud services have, until now, been difficult to bring within the DMA's usual gatekeeper framework.

Community Perspectives: The WindowsForum Discussion

The WindowsForum discussion provides valuable insights into how IT professionals and cloud customers are responding to these developments. Community members expressed several key concerns:

Technical Dependency Concerns: Multiple contributors noted that their organizations have become deeply dependent on specific cloud primitives, particularly DNS and global ingress services. One commenter stated, \"We thought we had multi-region redundancy, but when AWS's control plane failed, our failover mechanisms couldn't authenticate because they relied on the same broken DNS resolution.\"

Cost Implications: Several participants highlighted the financial barriers to true multi-cloud strategies. \"The egress fees alone make moving petabytes of data between clouds economically impossible for most mid-sized companies,\" noted one IT director. This economic reality creates what community members call \"soft lock-in\"—theoretical portability that's practically unaffordable.

Regulatory Uncertainty: Forum participants expressed mixed feelings about potential DMA intervention. While many welcomed measures that might reduce switching costs and increase transparency, others worried about unintended consequences. \"If the EU forces hyperscalers to open up their APIs and reduce egress fees, that's great,\" wrote one contributor. \"But if they mandate data localization or awkward technical standards, we could end up with fragmented, less secure systems.\"

The Strengths and Risks of Hyperscale Clouds

Understanding why customers choose hyperscalers is crucial to assessing potential regulatory interventions:

Strengths of Hyperscalers:
- Economies of scale and feature breadth: Hyperscalers deliver global reach, specialist managed services, and continuous innovation (especially in AI and data services) that few regional players can match.
- Operational expertise and certifications: Compliance frameworks, security operations centers, and resilient networking are expensive to build; many customers rely on hyperscalers precisely because they provide these as managed capabilities.
- Ecosystem effects: Rich partner networks, marketplaces, and developer tooling accelerate product development and lower time-to-market for enterprises and startups.

Structural and Operational Risks:
- Control-plane fragility: DNS and global edge fabrics are single points of failure when so many services rely on them; misconfigurations or automation defects can cascade rapidly.
- Lock-in via proprietary primitives and egress economics: Proprietary managed services and data-transfer pricing create real switching costs that can be used strategically or simply make migration prohibitively expensive.
- Opacity and limited customer telemetry: Customers often lack inside visibility on routing, DNS, and control-plane state that would allow faster failovers or informed procurement decisions during incidents.

Regulatory Trade-offs and Implementation Challenges

Any regulatory intervention must navigate significant trade-offs:

Overreach vs. Underreach: Heavy obligations could force hyperscalers to unwind practical efficiencies, slow innovation, or create compliance costs that ultimately raise prices or push investment elsewhere. Conversely, too little action risks locking in dependence and increasing systemic fragility.

Fragmentation Risk: Mandating data-localization or awkward technical interfaces in the name of sovereignty can fragment operational security models and harm resilience that relies on global threat intelligence sharing.

Implementation Complexity: The DMA wasn't originally calibrated for enterprise cloud. Translating consumer-oriented gatekeeper rules into meaningful, enforceable obligations for cloud primitives is challenging and will invite technical pushback and long legal fights.

What Regulators Might Realistically Do Next

Based on current reporting and policy trajectories, several scenarios are plausible:

  1. Formal DMA Investigation: The Commission could launch a formal inquiry to determine whether specific cloud services meet DMA designation criteria in practice, gathering evidence on market share, switching costs, and impacts on business users.

  2. Tailored Obligations Package: If designation is possible, regulators might consider a tailored obligations package emphasizing technical interoperability and open standards for control-plane APIs, audited data portability tooling with measurable performance indicators, and constraints on bundling that create untenable switching costs.

  3. Alternative Regulatory Approaches: The Commission could use competition law and sector-specific instruments (procurement rules, critical-infrastructure designation, incident reporting mandates) to drive transparency and resilience without full DMA gatekeeper obligations.

UK precedent is informative here: the Competition and Markets Authority's provisional findings recommended further investigation of AWS and Microsoft under UK digital markets legislation; similar arguments and remedies are under debate at EU level.

Practical Steps for Enterprises and Public Bodies

Regardless of regulatory outcomes, IT leaders should consider several practical measures:

Map Dependencies: Identify which application flows rely on single control-plane primitives (DNS entries, global ingress, single managed databases).

Harden DNS and Authentication Resilience: Add independent DNS health checks, diversify edge providers where feasible, and decouple identity dependencies from a single global fabric.

Practice Multi-region and Multi-cloud Failovers: Test runbooks for cross-region failover, and catalogue the business costs that result from different outage classes to inform procurement and SLA negotiations.

Demand Post-incident Transparency: When renewing contracts, require quantified post-incident reports, measurable remediation commitments, and contractual remedies tied to resilience.

Engage Policymakers Through Trade Associations: Collective responses can shape sensible regulation that improves contestability without destroying global-scale operational efficiencies.

The Future Cloud Market Landscape

The regulatory developments could reshape the cloud market in several ways:

Short Term: Higher regulatory friction, louder political pressure for sovereign cloud options, and accelerated product changes by hyperscalers (e.g., lower egress costs or new portability tooling) to blunt enforcement risk.

Medium Term: Possible formal remedies (interoperability rules, portability obligations) that reduce some switching friction but also create compliance overheads and potential innovation delays as vendors architect for regulatory constraints.

Long Term: Either the emergence of a stronger European sovereign cloud ecosystem (if public funding and procurement shift decisively) or a continued hyperscaler-driven market shaped by targeted remedies and technical standards that enable easier multi-cloud operations.

Critical Appraisal: Strengths and Blindspots

The case for regulatory action is strong on factual grounds: concentration, the discovery of practical switching costs, and multiple high-visibility incidents make the policy problem tangible. Regulators have legitimate tools in the DMA and competition law to address anti-competitive practices that create lock-in.

However, potential blindspots remain:

Technical Complexity: Effective cloud remedies require deep technical understanding of control-plane architectures and realistic migration costs; policymakers risk mis-specifying obligations in ways that create perverse incentives.

Geopolitical Considerations: Forcing hasty fragmentation or localization may degrade cross-border threat intelligence and operational resilience.

Implementation Timeline: Large enforcement actions will draw prolonged litigation that may slow the arrival of practical remedies.

A prudent Commission approach would combine targeted inquiries with stakeholder consultation, technical standards development, and calibrated remedies focused on interoperability, portability, and incident transparency rather than blunt structural separation.

Conclusion: A Watershed Moment for Cloud Governance

The October and June outages shifted the cloud debate from theoretical concentration concerns to immediate policy risk. Whether the European Commission will apply the DMA directly to the major cloud providers or pursue tailored measures that borrow the DMA's spirit—enforcing interoperability, portability, and anti-tying rules—remains to be seen.

For enterprises, the short-term imperative is operational: map dependencies, test failover plans, and demand stronger contractual transparency from providers. For policymakers, the challenge is harder: craft enforceable, technical remedies that reduce lock-in and increase resilience without degrading the global efficiencies that hyperscalers enable.

The outages of 2025 are a wake-up call: cloud scale brings power and fragility in equal measure. The policy response—if it is proportionate, technically informed, and targeted—can make the cloud safer and more contestable. If it is blunt or rushed, it risks imposing new costs without materially improving resilience. The coming months will determine which path Europe, and perhaps the wider world, chooses as cloud computing enters a new era of regulatory scrutiny.