EU Flags AWS and Azure as DMA Gatekeepers — 25 June 2026: What Every UK Business Running Cloud Needs to Do Now

On 25 June 2026 the European Commission delivered a decision that quietly redraws the map of the cloud-computing industry. In a preliminary finding addressed to Amazon and Microsoft, the Commission set out the view that Amazon Web Services and Microsoft Azure should be designated as “gatekeepers” under the Digital Markets Act (DMA) — the EU’s flagship rulebook for the most powerful digital platforms. It is the first time the DMA’s gatekeeper machinery has reached into cloud infrastructure itself, the layer on which almost every modern business now runs. For the operators of the two largest cloud platforms on earth, it is the opening move in a regulatory process that, if it runs its course, will force open data portability, mandate interoperability and prohibit self-preferencing within their sprawling service estates.

What makes the 25 June finding striking is how the Commission reached it. Neither AWS nor Azure met the standard quantitative thresholds the DMA normally uses to identify a gatekeeper — the €7.5 billion of EU-specific annual turnover, the 45 million monthly active end users, the 10,000 yearly active business users. Instead, the Commission invoked its discretionary qualitative designation power, arguing that both platforms hold an entrenched and durable position regardless of the headline numbers. It cited deep customer lock-in, punishingly high switching costs, and the increasingly decisive role that each platform’s artificial-intelligence portfolio now plays in cloud procurement. For UK SME leaders the immediate question is not one of legal compliance — Brexit places UK businesses outside the DMA’s direct obligations — but one of strategy: how deeply is your organisation embedded in AWS or Azure, what would it actually cost you to move, and does your IT roadmap account for a regulatory environment that is now actively trying to lower those switching costs? This article unpacks the finding, the timeline, the market context, and the 10-step cloud-strategy programme every UK business running on these platforms should run this quarter.

10%

Maximum DMA fine as a share of worldwide annual turnover for non-compliance

28%

AWS global cloud market share, Q1 2026 (Synergy Research Group) — Azure 21%, GCP 14%

6 months

Compliance window once a formal gatekeeper designation is issued

50%+

Share of EU businesses relying on cloud services (cited by EC VP Henna Virkkunen)

What the European Commission Actually Decided on 25 June 2026

The Commission’s announcement is a preliminary position, not a final ruling. In plain terms, the regulator has told Amazon and Microsoft that, on the evidence gathered so far, it considers AWS and Azure to be gatekeepers for cloud-computing services within the meaning of the DMA. Both companies now have the right of defence: they may respond in writing, present arguments and supporting data, and contest the Commission’s reasoning before any final decision is taken. A stakeholder roundtable is scheduled for 1 July 2026, at which competitors, customers and industry bodies will give evidence on the state of competition in the cloud market. Only after that process concludes will the Commission decide whether to confirm the designation.

The substance of the finding rests on three arguments. First, the Commission concluded that the operational capacity and capital investment of AWS and Azure have “significantly outpaced” their rivals — the scale of their data-centre footprints, global networks and engineering resources places them in a category of their own. Second, it found that both platforms benefit from pronounced lock-in effects and high switching costs: once an organisation builds on a platform’s proprietary services, the technical and commercial cost of leaving rises steeply over time. Third, and most contemporary, it judged that each platform’s AI portfolio has become “a decisive factor in cloud procurement” — buyers increasingly choose a cloud not only for compute and storage but for the AI models, accelerators and tooling bundled alongside it, deepening the gravitational pull of the incumbents.

Two senior Commission figures framed the decision. Teresa Ribera, Executive Vice-President for Competition, said that “cloud services must be provided in a fair, open and competitive environment”. Henna Virkkunen, Executive Vice-President for Technological Sovereignty, added that “cloud services have become a cornerstone of Europe’s economy — and a prerequisite for AI”, noting that more than half of EU businesses now depend on them. The language matters: the Commission is positioning cloud not as a discretionary IT purchase but as critical economic infrastructure, and treating concentration in that infrastructure as a matter of strategic concern rather than ordinary competition policy.

Why this matters to a UK business that thinks Brexit makes it irrelevant

UK SMEs are not directly subject to DMA obligations — that is correct. But the conclusion that follows is wrong if it is “therefore ignore it”. The DMA does not bind your business; it binds your suppliers. If AWS or Azure are forced to lower switching costs, improve data portability and stop self-preferencing inside the EU, those changes ripple through the global products UK firms actually use. More importantly, the finding is a flashing indicator light on a risk you already carry today: vendor lock-in. The regulator has, in effect, published an independent assessment that switching away from these platforms is currently hard and expensive. If a competition authority can see that, so should your board — and the right response is a lock-in audit, not a shrug.

How We Got Here — The DMA Cloud Timeline

The 25 June finding did not appear from nowhere. It is the latest step in a deliberate, months-long investigative process, and understanding the chronology helps UK leaders judge how fast the consequences could arrive.

2022–2023 — The DMA enters into force

The Digital Markets Act becomes EU law, establishing the gatekeeper concept for “core platform services”. The first wave of designations targets app stores, search, social media, messaging and browsers — cloud infrastructure is named as a core platform service category but no cloud provider is designated.

Throughout 2024–2025 — Pressure builds on cloud concentration

European competitors and trade bodies argue that the hyperscalers’ dominance of cloud infrastructure raises the same concerns the DMA was written to address. Regulators in several member states scrutinise licensing terms, egress fees and bundling practices.

18 November 2025 — Commission opens its investigation

The European Commission formally opens market investigations into whether Amazon Web Services and Microsoft Azure should be designated as gatekeepers for cloud computing — signalling its willingness to use the DMA’s qualitative designation power where the quantitative thresholds are not mechanically met.

25 June 2026 — Preliminary finding issued

The Commission tells Amazon and Microsoft it preliminarily considers AWS and Azure to be cloud gatekeepers, citing lock-in, switching costs and AI’s decisive role in procurement. Both companies gain the right of defence.

1 July 2026 — Stakeholder roundtable

Competitors, customers and industry bodies present evidence to the Commission on competition, switching and interoperability in the cloud market. This is a key input to the final decision.

Following months — Right of defence and final decision

Amazon and Microsoft exercise their right of defence in writing and through hearings. The Commission weighs the evidence before deciding whether to confirm a formal designation.

On designation + 6 months — Compliance obligations bite

If formally designated, AWS and Azure each have six months to comply with the full suite of DMA obligations — data portability, interoperability, an end to self-preferencing and fair access terms for business users.

The Cloud Market the Commission Is Looking At

To understand why the regulator acted, it helps to see the shape of the market. Global cloud-infrastructure spending grew 35 per cent year on year to reach roughly $129 billion in the first quarter of 2026, according to Synergy Research Group. Within that expanding pie, the distribution of share is remarkably stable and remarkably concentrated. The chart below shows the approximate global market positions the Commission is weighing — and the gap between the top two and everyone else is exactly the concentration the DMA was designed to scrutinise.

AWS — global share

28%

Microsoft Azure

21%

Google Cloud

14%

AWS + Azure combined

49%

Top three combined

63%

All other providers

37%

YoY market growth (Q1 2026)

35%

The figures explain the regulator’s logic. AWS and Azure together account for roughly half of all global cloud-infrastructure spending; add Google Cloud and the top three hold close to two-thirds. The remaining third is fragmented across dozens of regional and specialist providers, none of which has the capital base to build a competing global platform from scratch. When a market grows 35 per cent a year and the leaders keep their share, scale compounds rather than erodes — which is precisely the dynamic the Commission described when it said the incumbents had “significantly outpaced” their competitors. For UK SMEs the practical reading is simple: you are almost certainly buying from one of the top two, and the structural forces that made them dominant are not weakening.

The Thresholds That Were Not Met — And Why It Did Not Matter

One of the most important technical points in the 25 June finding is that AWS and Azure did not trip the DMA’s automatic, quantitative gatekeeper thresholds for their cloud-specific businesses. The Act sets numerical tests that, when met, create a presumption of gatekeeper status. The Commission’s finding turned instead on its qualitative, discretionary power — a deliberate signal that the headline numbers are not the only route to designation. The donut below shows the relationship between the two paths.

AWS and Azure met none of the three quantitative cloud thresholds (€7.5bn EU turnover, 45m end users, 10k business users) — yet were still found to be gatekeepers under the qualitative designation power.

The three quantitative thresholds the Commission looked at were a cloud-specific EU annual turnover of €7.5 billion, 45 million monthly active end users in the EU, and 10,000 yearly active EU business users. On the cloud-services figures the Commission examined, none of these was clearly met — which is itself revealing about how the hyperscalers structure and report their cloud revenue. Rather than treat that as the end of the matter, the regulator used the provision in the DMA that allows it to designate a platform as a gatekeeper following a market investigation where the qualitative criteria — durable, entrenched position; significant impact on the internal market; an important gateway for business users to reach customers — are satisfied. The message to every dominant platform is unambiguous: structuring your revenue to stay below a numeric line will not, on its own, keep you outside the rules.

Where UK SMEs Are Most Exposed to Cloud Lock-In

The regulator’s central finding — that switching costs are high — is not an abstraction. It maps directly onto the architecture decisions UK businesses make every week. The score grid below rates the most common sources of lock-in by how hard they typically are to unwind. Use it as a self-assessment: the more “high” rows that describe your estate, the more deliberate your cloud strategy needs to be.

Cloud lock-in exposure — rate your own estate

Proprietary managed databases (DynamoDB, Cosmos DB) holding core data High

Serverless functions wired to platform-specific event services High

Identity and access built entirely on the provider’s native IAM / Entra ID High

AI/ML pipelines bound to one vendor’s model catalogue and accelerators High

Large data volumes subject to egress (data-transfer-out) charges on exit Mid

Infrastructure-as-code templates written in a vendor-specific format Mid

Containerised workloads on managed Kubernetes (portable with effort) Low

Plain virtual machines and object storage using open formats Low

The pattern is consistent: the more “managed” and proprietary a service is, the more convenient it is to adopt and the harder it is to leave. That is not an argument against using managed services — they deliver real operational value — but it is an argument for adopting them with eyes open, knowing which decisions are reversible and which are effectively one-way doors. The DMA finding is, in a sense, the regulator publishing the same observation at industry scale.

What a Cloud Lock-In Audit Costs by Business Size

A lock-in audit is not a vague exercise — it is a scoped piece of work whose effort scales with the size and complexity of your estate. The indicative bands below reflect the typical shape of a UK SME cloud assessment: mapping every workload, classifying its portability, quantifying egress and switching costs, and producing a prioritised roadmap. Figures are indicative planning ranges, not quotes.

Business profile	Typical cloud footprint	Indicative audit scope	Indicative effort
Micro (1–10 staff)	A handful of VMs, M365, one or two SaaS apps	Footprint map, egress check, quick-win recommendations	2–3 days
Small (10–50 staff)	Single-cloud estate, some managed databases, basic CI/CD	Full workload inventory, portability scoring, cost model	1–2 weeks
Medium (50–200 staff)	Multiple environments, proprietary services, early AI workloads	Architecture review, exit-cost analysis, multi-cloud option appraisal	3–5 weeks
Larger SME (200–500 staff)	Complex multi-account estate, regulated data, vendor AI in production	Governance review, resilience strategy, phased migration roadmap	6–10 weeks

The point of the audit is not necessarily to leave your current provider — for most UK SMEs, AWS or Azure remains the right home for the majority of workloads. The point is to know your position: which workloads are portable, what an exit would actually cost, where a second provider or an open-standards approach reduces risk, and how to negotiate from a position of knowledge rather than dependence. That knowledge is exactly what the DMA is trying to give every European buyer by regulation; a good audit gives it to you directly.

Reactive Dependence vs Deliberate Cloud Strategy

The DMA finding draws a sharp line between two ways of relating to a cloud platform. Most organisations drift into the first without ever deciding to. The comparison below sets out the difference, and where a managed approach takes you.

Reactive dependence

What most SMEs do today

Adopt managed services for convenience, with no record of which are reversible
No map of where business-critical data physically lives or how to extract it
Egress and exit costs unknown until a migration is forced
Renewal negotiations conducted from a position of dependence
AI workloads pinned to one vendor’s model catalogue by default
Resilience assumed, never tested — a single provider is a single point of failure

Deliberate cloud strategy

Where Cloudswitched takes you

Every workload classified by portability before it goes to production
A current data-residency and extraction map, reviewed quarterly
Exit and egress costs modelled in advance and built into budgets
Renewals informed by a credible, costed alternative
A model-agnostic AI approach that keeps procurement choices open
Resilience designed in, with failover paths tested, not assumed

The 10-Step Cloud-Strategy Programme for UK SMEs

You do not need to react to the DMA finding with a panicked migration. You need a structured programme that turns an unmanaged dependency into a managed strategy. The ten steps below are the sequence Cloudswitched runs with clients, each with an indicative readiness weighting showing how far the typical SME has already progressed.

1 — Inventory every cloud workload and account

Week 1

2 — Classify each workload by portability (low / mid / high lock-in)

Week 1–2

3 — Map where business-critical data physically resides

Week 2

4 — Model egress and exit costs for the top workloads

Week 2–3

5 — Review identity, access and governance dependencies

Week 3

6 — Assess AI workloads for model and accelerator lock-in

Week 3–4

7 — Define a target architecture (single, hybrid or multi-cloud)

Week 4

8 — Build resilience and failover into critical paths

Week 5

9 — Renegotiate or right-size from a position of knowledge

Week 6

10 — Establish quarterly review and ongoing governance

Ongoing

The early steps — inventory and classification — are achievable for almost any UK SME within a fortnight and deliver disproportionate value: most organisations have never produced a single, authoritative list of every cloud workload and where its data lives. The later steps are where strategy is made, and where an experienced managed partner earns its keep, because they involve trade-offs between cost, resilience, performance and reversibility that are hard to weigh from the inside.

Typical SME cloud-readiness score out of 100

In Cloudswitched assessments, the average UK SME scores in the high-30s out of 100 on cloud readiness — not because their platforms are wrong, but because dependence has accumulated without a plan. The good news is that the score moves quickly once the first three programme steps are complete, because clarity is most of the battle.

A practical first move you can make this week

Before any audit, ask your team three questions and write down the answers. First: if our primary cloud account were unavailable for 48 hours, which services would stop, and do we have a tested recovery path? Second: if we had to extract our largest dataset and move it elsewhere, how would we do it and what would the egress charge be? Third: which of our AI features are tied to a single vendor’s models, and could we swap providers without a rewrite? If you cannot answer all three confidently, you have found the starting point for your cloud strategy — and you have replicated, in miniature, exactly the assessment the European Commission has just performed on the whole market.

At a Glance — The Key Facts

Item	Detail
What happened	EC issued a preliminary finding that AWS and Azure should be DMA gatekeepers
Date of finding	25 June 2026
Investigation opened	18 November 2025
Stakeholder roundtable	1 July 2026
Designation route used	Qualitative power — quantitative thresholds not met
Quantitative thresholds	€7.5bn EU cloud turnover, 45m end users, 10k business users
Maximum fine	Up to 10% of worldwide annual turnover for non-compliance
Compliance window	6 months once a formal designation is issued
AWS global share (Q1 2026)	28% (Synergy Research Group)
Azure global share	21% — Google Cloud 14%
Global cloud market size	~$129bn in Q1 2026, up 35% year on year
EU businesses reliant on cloud	More than 50%
Key obligations if designated	Data portability, interoperability, no self-preferencing
UK legal position	Not directly bound (Brexit) — affected indirectly via suppliers and supply chains
Right of defence	Amazon and Microsoft may contest before any final decision

How This Connects to the Wider Regulatory and Technology Picture

This finding does not sit in isolation. It is part of a broader European push to govern the foundations of the digital economy, and it intersects with several stories Cloudswitched has covered recently. The same EU institution driving the cloud finding is enforcing the EU AI Act transparency deadline of 2 August 2026, which carries its own extraterritorial reach into UK businesses — and the Commission’s emphasis that AI is now “a prerequisite” for cloud ties the two directly together. On the data-protection and resilience side, the lock-in conversation is inseparable from how you back up and recover your data, a theme we explored in our guide to the 3-2-1-1-0 backup rule for UK SMEs. Security agencies are also sounding the alarm on AI-enabled threats, as set out in the Five Eyes AI cyber warning — a reminder that concentration of infrastructure is also a concentration of attack surface. And for businesses weighing how AI procurement shapes platform choice, our coverage of Microsoft 365 Copilot’s default model changes shows how quickly the AI layer of a cloud platform can shift beneath your feet.

Know exactly where your cloud strategy stands

Cloudswitched Azure cloud services help UK businesses understand, optimise and — where it makes sense — migrate their cloud footprint. We map your estate, model your switching costs and build a strategy that keeps your options open, whatever the regulators decide next.

Talk to us about Azure Cloud Services

Frequently Asked Questions

Does the EU DMA finding mean my UK business has to do anything legally?

No. Because of Brexit, UK businesses are not directly subject to the Digital Markets Act’s obligations — those fall on the designated gatekeepers, AWS and Microsoft, within the EU. There is no compliance action you are legally required to take. The relevance is strategic, not legal: the finding is an authoritative, independent confirmation that cloud switching costs are high, and the changes it forces on your suppliers will affect the products you use. The sensible response is to audit your own lock-in, not to file paperwork.

Should I move off AWS or Azure because of this?

Almost certainly not as a blanket decision. For most UK SMEs, AWS or Azure remains the right home for the majority of workloads — the platforms are mature, secure and feature-rich. The goal is not to leave but to know your position: which workloads are portable, what an exit would cost, and where a second provider or open standards reduce risk. A deliberate strategy might keep 90 per cent of your estate where it is while removing single points of failure and dependence from the critical 10 per cent.

What does “gatekeeper” actually mean under the DMA?

A gatekeeper is a large digital platform that the European Commission judges to be an important gateway between business users and consumers, with a durable and entrenched market position. Designation triggers a set of obligations designed to keep the market open: allowing data portability, ensuring interoperability, and prohibiting self-preferencing — favouring the platform’s own services over competitors’. Non-compliance can be fined at up to 10 per cent of worldwide annual turnover, rising for repeated breaches.

Why were AWS and Azure designated when they did not meet the thresholds?

The DMA gives the Commission two routes to designation. The first is automatic, based on quantitative thresholds — turnover, end users and business users. The second is a qualitative power exercised after a market investigation, where the Commission judges that a platform holds a durable, entrenched position regardless of the numbers. On the cloud-specific figures, AWS and Azure did not clearly meet the quantitative tests, so the Commission used the qualitative route — citing lock-in, switching costs and the decisive role of AI in procurement.

What are egress fees and why do they matter for lock-in?

Egress fees, or data-transfer-out charges, are what a cloud provider bills you to move your data out of its network — for example to another provider or back on-premises. Storing data is often cheap; extracting it at scale can be expensive. Because these costs only materialise when you try to leave, they act as a financial brake on switching, which is one of the lock-in mechanisms the Commission examined. Modelling your egress exposure in advance turns an unknown exit cost into a planned figure you can budget and negotiate around.

How does AI make cloud lock-in worse?

The Commission found that a platform’s AI portfolio is now “a decisive factor in cloud procurement”. When you build AI features on a single vendor’s model catalogue, proprietary accelerators and managed AI services, you add a new and deep layer of dependence on top of your existing compute and storage. Swapping providers can then mean re-engineering pipelines, retraining or re-prompting against different models, and re-validating outputs. A model-agnostic approach — keeping your architecture able to switch between providers’ models — preserves the procurement freedom the DMA is trying to protect.

What is the difference between single-cloud, hybrid and multi-cloud?

Single-cloud means running everything on one provider — simplest to operate, highest concentration risk. Hybrid combines cloud with on-premises or private infrastructure, often to keep sensitive or regulated workloads under direct control. Multi-cloud spreads workloads across two or more providers to reduce dependence and improve resilience, at the cost of added operational complexity. The right answer depends on your data, your resilience requirements and your team’s capacity. The strategy work is in choosing deliberately rather than defaulting into single-cloud by inertia.

How long does a cloud lock-in audit take?

For a micro business with a handful of workloads, a footprint map and quick-win review can be done in two to three days. A small business with managed databases and basic automation typically needs one to two weeks for a full inventory and portability scoring. Medium and larger SMEs with complex, multi-account estates and AI workloads in production usually need three to ten weeks for a complete architecture review, exit-cost analysis and migration roadmap. The first, most valuable deliverable — knowing exactly what you run and where your data lives — comes early in any of these.

Will the DMA changes benefit UK buyers even though we are outside the EU?

Indirectly, yes. Major platforms generally find it impractical to maintain entirely separate technical behaviour for the EU and the rest of the world, so reforms forced by the DMA — better data portability, clearer interoperability, fairer terms — tend to propagate into global products. UK SMEs also operate within EU supply chains and serve EU customers, so improvements that lower switching costs across Europe reach UK buyers through the platforms and partners they share. The benefit is not guaranteed or immediate, but the direction of travel favours customers.

How can Cloudswitched help with all of this?

Cloudswitched is an IT company, not a reseller, with certified Azure engineers and 20-plus years of migration experience. We run cloud lock-in audits, model your switching and egress costs, design hybrid and multi-cloud architectures where they add resilience, and manage migrations to and within the cloud with minimal disruption. Whether you stay where you are with a clearer strategy, optimise your current spend, or move selected workloads, we give you the same visibility the regulators are demanding for the whole market — applied directly to your business.

Turn cloud dependence into cloud strategy

The European Commission has confirmed what many UK businesses already suspect: cloud switching is hard, and concentration is real. Cloudswitched Azure cloud services give you a clear map of your estate, a costed view of your options, and a strategy built to keep them open — so the next regulatory or commercial shift finds you prepared, not exposed.

Start your cloud strategy review

Tags:AzureCloud ComputingAWS

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.