CMA decision to shelve cloud services SMS investigations raises questions around use of its new digital markets powers

On 31 March 2026, the CMA announced the launch of a Strategic Market Status (SMS) investigation into Microsoft's business software ecosystem, but in a surprise move, opted not to pursue similar investigations into Microsoft and Amazon's cloud infrastructure services (for now, at least). 

This decision is likely to prompt further questions about the CMA’s current enforcement policy and whether it is under-utilising its new regulatory powers under the UK's Digital Markets Competition Regime (DMCR). 

What’s been announced?

The CMA Board will not prioritise SMS investigations into Microsoft's and Amazon's cloud infrastructure services, despite the independent CMA Inquiry Group’s recommendation for it to do so in the Cloud Infrastructure Services Market Investigation final report (CISMI Report), published in July 2025.

According to the CMA, its decision was informed by "market developments" since the CISMI Report was published. The CMA cited certain business changes introduced by Microsoft and Amazon, which are said to address some of the concerns identified in the CISMI Report around switching and interoperability, with both firms taking steps to reduce “egress” fees (charged on outbound data transfers) and improve interoperability between their cloud platforms - including extending EU Data Act standards to the UK. In lieu of commencing formal SMS investigations into cloud services, the CMA will continue to engage with both Microsoft and Amazon, through what it terms a "participative dialogue", with the CMA Board reviewing progress in six months' time.

The CMA will, however, conduct an SMS investigation into Microsoft's business software ecosystem, which will be launched in May. The CMA’s primary focus appears to be Microsoft's licensing practices and their effect on competition, but it has also signalled a broader interest in competition in AI assistants and other productivity software. 

The CMA’s announcement comes at a pivotal moment, as AI is rapidly being integrated into core workplace tools. It also coincides with the CMA (i) finalising its acceptance of voluntary commitments from Apple and Google in the Mobile Platforms SMS investigations, and (ii) seeking input on changes that Apple and Google have made or are proposing to make to address their “steering” restrictions (which limit third-party app developers’ ability to direct users to alternative distribution channels outside their apps), ahead of tabling draft Conduct Requirements (CRs). 

Why were SMS investigations into Microsoft and Amazon’s cloud services recommended in the first place?

The CISMI Report found that several features of the UK cloud infrastructure market were leading to adverse effects on competition:

• market concentration and barriers to entry: Amazon Web Services (AWS) and Microsoft Azure are the largest cloud providers in the UK, each with a market share by value of up to 40%. Both were found to enjoy substantial and entrenched market power and protection from high and persistent barriers to entry and expansion;
• technical and commercial barriers that lock customers into their initial choice of provider, with the result that switching is extremely rare and multi-homing is uncommon for small and medium-sized customers. Technical barriers stem from the differentiation of features and interfaces in cloud services, making it difficult for customers to compare, substitute, or integrate services from different providers. Commercial barriers principally take the form of egress fees charged by providers when customers transfer data out of their cloud environment; and
• Microsoft's licensing practices, which limit consumer choice and reduce competition in cloud services. Most notably, Microsoft charges AWS and Google’s Cloud Platform (GCP) wholesale input prices for key business software that are materially higher than the prices it charges customers for using the same software on Azure. This was found to weaken the competitive constraint that AWS and GCP are able to exert for customers who use Microsoft's software in the cloud.

Rather than imposing a remedy using its market investigation powers (as it was entitled to do), the Inquiry Group recommended that the CMA should use its DMCR powers to prioritise SMS investigations to designate both AWS and Microsoft Azure as having SMS in relation to their digital activities in cloud services. These designations would facilitate targeted and bespoke intervention and enable the issues described in the CISMI Report to be addressed through specific CRs. According to the Inquiry Group, the powers conferred on the CMA by the DCMR were designed to address competition issues that persist over time and require ongoing, proactive oversight, in particular because those powers allow the CMA to iterate and test remedies and adapt its interventions to technological changes and market developments. 

The Inquiry Group could not compel the CMA to implement its recommendations. However, it made it perfectly clear that the issues identified in the CISMI Report could only be tackled effectively by using the powers available to the CMA under the DMCR and that it expected the CMA to take its recommendations into account when deciding on its enforcement priorities. It was therefore widely anticipated that the CMA would shortly launch SMS investigations into Microsoft's and Amazon's cloud infrastructure services. 

Why then did the CMA not prioritise investigations into Microsoft’s and Amazon’s cloud services?

Instead of following the recommendations of the Inquiry Group, the CMA decided to continue engaging with UK cloud infrastructure customers and challengers, to understand what measures were necessary to deliver better market outcomes. It then put those measures directly to Microsoft and Amazon, which responded by identifying actions they had taken, or were planning to take, to support greater customer choice. These included removing or reducing egress fees for switching or multi-homing customers; capping multi-cloud data transfers at cost; directly connecting their datacentres with each other and Google; and extending to the UK interoperability standards adopted to comply with the EU Data Act. Both firms also committed to establishing formal processes for customers and competitors to request interoperability information and features. 

According to the CMA, these actions would facilitate switching and multi-homing. This could unlock consumer choice by making it easier for customers to use more than one cloud services provider. Against this background, the launch of SMS investigations into cloud services was not deemed to be an immediate priority. Instead, the CMA chose to prioritise an SMS investigation into Microsoft's business software ecosystem and to continue its engagement with Microsoft and Amazon in relation to the provision of cloud services - with the CMA indicating that it would review the situation in six months once it has been able to assess the impact that Microsoft and Amazon’s actions have had on the market.

The CMA justified the decision to prioritise an SMS investigation into Microsoft's business software ecosystem by noting that an SMS designation would allow the CMA to address the unresolved concerns about Microsoft’s licensing practices identified in the CISMI Report, which found that those practices were limiting consumer choice and reducing competition. 

The CMA cited the growth and rapid integration of AI across software applications and the omnipresence of Microsoft’s business software in the private and public sectors as further justifications for deprioritising SMS investigations into cloud services and focusing instead on Microsoft’s business software ecosystem¹. In particular, the CMA emphasised the importance of ensuring a level playing field, where a range of AI companies are able to compete effectively with innovative new software products that interoperate with Windows and the wider Microsoft ecosystem. This makes it essential that businesses and public sector organisations are not restricted (e.g. though the bundling of different products²) in their ability to choose between different AI tools.

Is the CMA making the best use of its powers? 

Following its decision to accept voluntary commitments from Apple and Google in relation to app distribution in lieu of formal CRs, the CMA's approach to cloud services is another example of its willingness to use informal negotiations and resolution mechanisms instead of its new regulatory powers.

The UK DMCR was designed to be flexible, targeted, and responsive to market developments - in contrast to the EU Digital Markets Act’s more prescriptive approach. By avoiding time-consuming investigations, whilst still engaging with stakeholders, the CMA can achieve its objectives swiftly, and retains the option to escalate to formal intervention if necessary. Fixing problems quickly, whilst minimising the burdens imposed on large digital platforms, is also consistent with last year’s Strategic Steer from the UK Government, which called on the CMA to use its powers flexibly and collaboratively, and to consider actions taken in other jurisdictions to ensure its interventions are "coherent" and avoid duplication³.

At the same time, however, there are material differences between accepting voluntary commitments in lieu of CRs, and allowing potential SMS firms to avoid designation altogether.

Pre-SMS investigation negotiations were not identified as a feature of the regime in the CMA's own DMCR guidance. That guidance (and the relevant statute - the Digital Markets, Competition and Consumers Act 2024 (DMCCA)) sets out a formal framework, following a linear process: SMS investigation > SMS designation > imposition of CRs (and potentially also pro-competition interventions (PCIs)) > enforcement of CRs (and/or PCIs). Each stage has its prescribed procedures, consultation requirements, and safeguards. The CMA's decision to resolve concerns through bilateral dialogue with the largest digital platforms, without designating those platforms as having Strategic Market Status, represents a significant departure from that framework, and calls into question the predictability of the regime and the extent to which statutory procedures will be followed in practice. 

The absence of designation also means there is no formal standing for third parties to participate in the process; no statutory framework for monitoring or enforcing the firms' promises (and no legal obligation for the CMA to keep the relevant interventions under review); and no mechanism for the CMA quickly to impose CRs if circumstances change. 

Furthermore, should formal intervention ultimately be required, there is a risk that conducting the necessary SMS investigations at that stage will introduce delays at a time when such delays could be most harmful. The CMA's ability to respond to future developments could be curtailed, and one of the key features of the DMCR, - the ongoing monitoring and evolution of remedies over time as markets develop - undermined.

Concluding remarks

The CMA's decision to proceed with an SMS investigation into Microsoft's business software is significant. Not only is such software ubiquitous across the economy, but the CMA’s ability to investigate and designate the entire ecosystem showcases the flexibility of the DMCR, especially the broad concept of a “digital activity”⁴ and the CMA’s ability to group such activities together when designating SMS firms. This would not currently be possible under the DMA, which, whilst covering operating systems and browsers, did not target enterprise software as a potential “core platform service”.

Nevertheless, stakeholders who had been pinning their hopes on forthright and timely intervention under the DMCCA may have concerns about the way in which the CMA’s new powers are being deployed. For a start, it remains to be seen whether (potential) SMS firms will be sufficiently incentivised to comply with measures agreed outside the DMCCA’s statutory framework. There may also be disappointment among some (including within the CMA) that the tremendous amount of work only recently done during the CISMI is not going to be leveraged in the form of SMS designations for the main cloud services providers, which - despite market developments - remain a duopoly.

The CMA’s current enforcement policy might be a consequence of capacity constraints within its Digital Markets Unit⁵, or ministerial pressure to dial down enforcement and minimise regulatory intervention, in pursuit of the UK Government’s growth agenda. But with no binding CRs in place after 15 months, only one set of draft CRs consulted upon, and a bias for informally negotiated solutions, concerns are being voiced that the CMA is taking a risk that the new regime - which was specifically designed to regulate the conduct of large platforms on an ex-ante basis, allowing for faster, more effective enforcement - will not succeed in unlocking effective competition in digital markets.