Getting down to business? CMA opens investigation into Microsoft’s business software ecosystem

On 14 May 2026, the CMA launched a strategic market status investigation (SMSI) into Microsoft’s business software ecosystem under the Digital Markets Competition and Consumers Act 2024 (DMCCA), bringing a large group of Microsoft software products and systems potentially within the scope of a future SMS designation.

The CMA has nine months from the launch of an SMSI to decide whether to designate a firm under investigation as having strategic market status (SMS) in relation to one or more digital activities. Once designated, that firm can be made subject to conduct requirements (CRs) - bespoke legal obligations relating to its future conduct. Alternatively, the CMA could accept voluntary commitments if a swift and pragmatic solution to its concerns can be agreed. It could also launch a pro-competitive intervention (PCI) investigation if it has reasonable grounds to consider that specific factors relating to the relevant digital activities have adverse effects on competition – giving the CMA the ability to impose remedies that go beyond CRs if the investigation confirms such adverse effects¹.

The launch of the Business Software SMSI comes not long after the CMA’s decisions: (i) to accept voluntary commitments from Apple and Google in relation to their respective Mobile Platforms; and (ii) not to launch a Cloud Services SMSI. As we have previously written, those decisions raised questions around whether the CMA is under-utilising its new regulatory powers under the UK’s Digital Markets Competition Regime (DMCR).

In this context, the breadth of the Microsoft Business Software SMSI - in terms of the range of products and potential issues the CMA will be investigating - is notable.

Products covered

As set out in the investigation notice, the following software and IT systems fall under the scope of the investigation (when provided to business and public sector users, rather than private individuals).

1. Productivity Software Suite: this captures Office 365 applications, including Word, Excel, PowerPoint, Outlook, Exchange, Teams, SharePoint, OneDrive, and OneNote, as well as certain services and functionalities that enable the functioning of the Suite, and Copilot features and functionalities that can be used with these applications.
2. PC Operating System: Windows 10 and 11 and any subsequent versions.
3. Server Operating System: Windows Server.
4. Relational Database Management System: SQL Server.
5. Security Software: Entra and Active Directory-related software and services, Intune, and Defender.

The CMA also intends to investigate the extent to which Microsoft’s AI products (including Copilot) should be included within the scope of each of these digital activities because they “span every layer of the technology stack”. This is consistent with how the CMA has proceeded in other SMSIs. For example, the CMA carefully considered the level of integration of AI products within Google’s search services when determining the list of Google AI products included within the scope of its designation decision.

This approach reflects the fact that the CMA has the power under the DMCCA to group certain digital activities together as one activity, where they have substantially the same or similar purposes or can be carried out in combination to fulfil a specific purpose. The CMA has used this power in all its other SMSIs to date, so it is not surprising to see a similar approach being adopted here. In its Invitation to Comment (ITC), the CMA observes that Microsoft presents itself as a one-stop shop for business software, marketing various products together as a secure, integrated, easy-to-use software solution.

The CMA’s starting position is that all the digital activities within the scope of the investigation could potentially be grouped together as a single digital activity comprising “Microsoft’s Business Software Ecosystem”, since they “can be carried out in combination with each other to fulfil the specific purpose of providing a software environment that enables organisations to perform work effectively, securely and at scale.” While there is no guarantee that Microsoft will be designated in respect of its whole ecosystem (or all of these activities), the CMA clearly considers that Microsoft may have substantial market power in relation to its Business Software Ecosystem, and that such power “may be entrenched”.

The CMA will look at a range of evidence in assessing a potential designation, but significant weight will be attached to shares of supply and switching costs. The CMA has already noted that the initial evidence suggests that Microsoft has held shares above 70% in respect of several of its digital products for a number of years. Evidence from the cloud services market investigation also points to significant switching costs for customers, once network effects and the significant degree of integration between Microsoft’s products are factored in.

Issues under consideration

The investigation is also broad in terms of the issues the CMA intends to explore, which include the following.

1. Leveraging by Microsoft of its market power in business software into adjacent activities such as cloud services. This comes as no surprise, since the CMA indicated it would investigate licensing practices in relation to cloud services as part of the Business Software SMSI when it announced it would not open an SMSI in the cloud sector. However, the reference to adjacent activities suggests cloud services may just be one example of leveraging, leaving the door open to interventions in relation to other potential leveraging practices that may affect other markets as well.
2. Technical design and interoperability. This encompasses technical tying, asymmetric API access (e.g. APIs needed for competing products to make certain features available on Windows that might seamlessly be available to Microsoft’s products but are not available in the same way to competing applications) and Microsoft’s control over de facto standards. The CMA has already indicated that AI applications will be a key area of focus, with the ITC noting the importance of ensuring easy integration between competing AI applications and “existing IT workflows”.
3. Commercial practices limiting effective consumer choice. This includes using pricing structures, bundling or tying to shape customer behaviour in ways that are capable of foreclosing third-party competitors. In the ITC, the CMA referenced the recent set of commitments Microsoft agreed with the European Commission in relation to Teams, which might suggest the CMA is interested in pursuing similar interventions in the UK², including potentially in relation to other types of business software.
4. Defaults, design and presentation choices. This focuses on features that steer users towards particular products in ways that undermine effective choice. This could potentially cover several aspects, including the choice architecture within Windows.

The same or similar issues have been the subject of previous abuse of dominance investigations. The CMA, however, does not have to prove that conduct is abusive, or even anti-competitive, to impose CRs, nor does it need evidence of historic or ongoing harm. CRs are (in theory at least) intended to regulate behaviour on an ex-ante basis. If Microsoft is designated, the CMA simply has to fit the intended CRs within one of the permitted categories in s. 20 of the DMCCA (which are wide-ranging in nature).

However, before exercising these powers (in what is intended to be a collaborative regime), the CMA must consider the feedback and evidence it receives from Microsoft and affected stakeholders. The CMA is also expected to use its powers in a proportionate and targeted way (particularly in view of recent political pressure). Accordingly, the ITC expressly recognises that the CMA could choose not to prioritise the imposition of CRs if “voluntary commitments can deliver immediate and effective benefits to UK businesses and consumers”.

Reflections 

The breadth of products covered by the investigation - from security tools and AI applications to video conferencing software - is striking. While it is not a foregone conclusion that Microsoft will be designated in respect of all of these products, it would be reasonable to expect the CMA to seek to bring as many activities as possible within the “Business Software Ecosystem” umbrella, in order to maximise its ability to intervene against the leveraging of market power across different parts of the ecosystem. The DMCR’s flexibility - in particular the open-ended concept of the “digital activity”, and the ability to group such activities together - makes this possible. In contrast, the EU Digital Markets Act covers operating systems (including Windows), but does not extend to cover enterprise software as a “core platform service”.

The CMA has a powerful toolkit, but in its SMSIs to date it has been cautious in the use of its powers. Time will tell whether this latest investigation, while broad in scope on paper, will prove more ambitious in terms of the interventions the CMA chooses to pursue.