EU Oversight of Microsoft, Amazon Cloud Business Goes Beyond Antitrust

Over the course a few days, cloud computing went from “not being an antitrust concern,” according to EU Competition Commissioner Margrethe Vestager, to a being a definite subject of questioning for some companies in this space. Moreover, a bigger regulatory headwind may be coming the companies’ way with the approval of the Digital Operational Resilience Act (DORA). 

First, the European Commission is asking Microsoft’s customers and competition about its cloud business and its licensing deals, according to Reuters. This is not part of any formal investigation yet. Normally, EU regulators reach third parties when they have complaints about a company’s conduct that may be anticompetitive. In this case, German software provider NextCloud and three other companies have filed complaints about Microsoft’s cloud practices. Regulators’ main area of focus is tying practices — for instance, whether Microsoft is selling packages including several services like operating systems, productivity applications and cloud services. 

While it is too early to predict whether these inquires will lead to any enforcement action, it is a good reminder that the adoption of the Digital Markets Act (DMA), which will impose new obligations on gatekeepers providing cloud services, won’t be a substitute for antitrust investigations. 

However, despite these inquiries or even the new obligations established in the DMA, Microsoft, Amazon and other cloud providers may be subject to more regulatory oversight on an ongoing basis when DORA enters into force, probably in 2023. 

DORA is a new law proposed by the European Commission that aims to establish uniform requirements for the security of networks and information systems in the financial sector. The purpose of the law, which is part of a bigger EU digital finance package, is to make the financial sector more resilient and better prepared for cyber threats and other information and communication technology (ICT) risks. 

While most of the proposed law addresses banks and other financial institutions in Europe, there is a chapter devoted to ICT third party risk, which includes cloud providers of critical or important functions. 

DORA will enable the European Supervisory Authorities (ESAs) to access critical ICT third-party service providers directly — and sanction them if necessary. First, cloud providers will need to be designated as critical ICT third-party service providers. This designation process resembles the one established in the DMA, as regulators will base their decision on a few parameters and then the companies will be subject to a new set of rules. 

The Lead Overseer — which will be either the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) or the European Insurance and Occupational Pension Authority (EIOPA) — will have authority to request all relevant information and documentation to cloud providers, conduct investigations and on-site inspections and make recommendations for actions. 

If a cloud provider doesn’t implement the recommendations in 60 days, the Lead Observer can impose periodic penalties which can be up to 1% of the average daily worldwide turnover. 

DORA is applicable only to financial service companies and ICT third parties providing critical functions. Thus, Microsoft, Amazon and others may be subject to oversight only if the service is provided to these companies, and not their whole cloud business. Nevertheless, DORA will impose new transparency and reporting requirements on cloud providers. And it may have a cost too, as the law establishes that “the ESAs shall charge critical ICT third party service providers fees that fully cover ESAs’ necessary expenditure in relation to the conduct of Oversight tasks pursuant to this Regulation.”

The proposed law was initially approved by the European Parliament’s ECON committee in December. Now the parliament, the Council and the Commission are conducting inter-institutional negotiations that could lead to an agreement by summer, but the law would apply 18-24 months after the final approval. 

Read More: EU Regulators Scrutinize Microsoft’s Cloud Business, Practices