All eyes on the cloud

At a glance:

• New regulation has recently been agreed at EU level to address competition and customer protection issues in the cloud computing market, seen to restrict the development of the digital economy. A corresponding investigation by the UK Competition and Markets Authority (CMA), further to concerns expressed by Ofcom, is in train.
• There are concerns about a lack of cloud service provider competition, customer ‘lock in’ and limited interoperability, all of which are believed to act as barriers to multi-cloud adoption.
• This new regulation is designed to benefit customers by giving them a new right to switch cloud providers, at a reduced cost. 
• New obligations, such as those relating to cloud switching and customer information sharing, are designed to promote competition. This will require significant implementation by the industry and could present either opportunities or threats for cloud service providers, depending on their market position. 
• Customers of cloud services should already be considering their future cloud procurement strategies with these new obligations in mind. Providers should be developing their commercial strategies and operational processes accordingly.
• Regulation now agreed at EU level is expected to apply from late 2025. The outcome of the current UK process, which is ongoing, is expected in April 2025. 
• This blog provides a summary of relevant EU and UK activity, the strategic implications arising and our view on what customers and cloud providers should do now. 

Introduction

It is well understood that cloud computing services are integral to the activities of businesses and consumers in the economy today. Indeed, there is already regulation in place to ensure a secure and resilient cloud infrastructure, recognising this vitally important role. Cloud is also seen as a key enabler, relevant to achieving policy objectives in complementary policy areas such as data and AI. As a result, there has been an increasing regulatory focus on addressing broader concerns relevant to competition and customer protection in the market, consistent with policymaker objectives to unlock the socio-economic benefits associated with cloud service provision.

Recent EU and UK regulatory developments 

In the EU, the Data Act and the Digital Markets Act are two regulatory files particularly relevant to the recent focus on competition and customer protection in the cloud market.

The Data Act was politically agreed in June 2023, with many provisions expected to apply from late 2025 (twenty months after its entry into force, which will happen twenty days after its forthcoming publication in the Official Journal). An important element of the Data Act is to facilitate customer switching in the cloud services market and prevent so-called vendor ‘lock-in’.  It does this by introducing new rules to address switching barriers that are seen to exist in the market. This includes new requirements to enhance the portability and interoperability of cloud services and require the gradual withdrawal of switching charges including data egress charges (charges related to the transit of data from one provider to another).

The Digital Markets Act is a new, flagship EU regulation designed to regulate large online platforms that act as “gatekeepers” in digital markets, with cloud computing services a category of regulated service (a so-called “core platform service”). It is notable that the European Commission did not designate any gatekeepers in respect of cloud computing services as part of its first designations in September 2023. Although the Commission has not as yet provided any reasons for this, it is presumably because providers in the market did not meet the required thresholds. The Commission will no doubt keep this under review.

We see a different process in the UK, where Ofcom, the regulator for electronic communications, recently concluded its year-long market study into the supply of public cloud infrastructure services by referring the market to the CMA for a market investigation. In its referral, Ofcom focused on three concerns regarding the functioning of this market, relevant to:

• charging of egress fees for moving data out of a service provider’s cloud;
• restrictions on interoperability and portability; and 
• committed spend discounts.

Ofcom is also concerned that such features make it more difficult for customers to switch and use multiple suppliers. As the CMA has stated in its recent Issues Statement, it is yet to determine whether any competition concerns arise in the supply of cloud services in the UK. However the referral to the CMA is a significant step, which could potentially result in remedies, such as market-opening or structural measures, being imposed.¹

Of course, the UK’s equivalent to the EU Digital Markets Act, the Digital Markets Competition and Consumers Bill, is still undergoing scrutiny in Parliament. Indeed, in its referral, Ofcom notes that further consideration of the application of the Bill to the cloud market will be a matter for the CMA to consider during its market investigation. The CMA has confirmed that if the Bill is adopted into law during the course of its investigation, it may consider this. If any future obligations in the UK market are imposed on cloud providers designated to have Strategic Market Status (a core element of the Bill), it could mean that the UK diverges from the EU approach, given the current lack of oversight under the EU Digital Markets Act.

Strategic implications arising

The abovementioned regulatory activities signal not just an increased level of regulatory attention on how competition is functioning in the cloud market, but also the articulation of specific concerns, and, in the case of the EU, agreement of new rules designed to address those concerns. This represents a significant expansion in regulatory oversight.

This will therefore have specific implications for the market, including customers, larger established cloud service providers and those providers seeking to gain market share. Broadly speaking, these implications can be broken down into technical processes and standards relevant to switching and interoperability, the financial terms on which switching takes place and the regulatory oversight that will result.

1. Technical processes and standards relevant to switching and interoperability

The new obligations in the EU Data Act relevant to switching are far reaching. For example, they require that cloud service providers shall not impose and shall remove pre-commercial, commercial, technical, contractual and organisational obstacles relevant to different elements of the switching process. They also include a mandatory switching period of 30 days, which can be extended to seven months in the event that the 30 day period is not “technically feasible”.  

Technical feasibility is a concept that has been a feature of electronic communications regulation for many years. Given the potential complexities associated with the cloud switching process, it would seem likely that this provision may be regularly activated as a means of allowing more time for migration. Additional guidance in this area would no doubt be beneficial to the market.   

In relation to interoperability, the Data Act focuses primarily on standards and publication by cloud service providers of open interoperability provisions (e.g., in an online register to be hosted by the cloud provider). The Data Act notes that that the Commission needs to rely on parties in the market to develop relevant open interoperability specifications to keep up with the fast pace of technological development in this industry. In saying that, it also envisages that the Commission should be enabled to mandate the development of harmonised standards for the interoperability of specific service types if required. 

Ofcom also addressed interoperability in its review, highlighting four potential categories of remedy in referring the issue to the CMA (broadly speaking, relating to providing greater transparency about interoperability, requirements for suppliers to make their cloud services easier to interoperate with, an increased degree of standardisation and interconnection of data centres). Ofcom rightly refers to the risks of unintended consequences associated with mandating a particular technical approach to standards. Given concerns associated with ‘heavy handed’ intervention in this area (e.g., potential negative impact on innovation associated with mandating a particular a technology) it would seem likely that the CMA’s primary focus will be on enhancing market transparency about interoperable solutions or on enhancing industry approaches to standardisation.

There are already industry codes of conduct in the EU market relevant to switching & interoperability, in part introduced following regulation in 2018 which required that the European Commission encourage and facilitate the development of voluntary codes. Clearly, the EU has taken the view that self-regulation has not worked, hence the binding requirements that have now been introduced in the Data Act. The multi-stakeholder group SWIPO has already stated that its third converged code of conduct for Cloud Services will be updated to comply with these new provisions and that it anticipates that the updated version will be eligible to be listed in the “Cloud Rule Book” as a Data Act implementation tool. However, the significant detail now included in the Data Act would appear to go far beyond what is included in existing self-regulatory codes, meaning that much industry implementation work still remains.

2. The financial terms on which switching takes place

The emphasis on data egress charges in both the UK and EU activity is notable, with the EU framework now putting in place clear requirements for these charges to be phased out. 

As part of the Ofcom market study process, certain cloud service providers continued to challenge the idea that egress fees should be a cause for regulatory concern, noting for example that they simply reflected the use of a network resource, that they are fair and reasonable and that they do not act as a barrier to switching. Ofcom was not persuaded by these arguments. In concluding on the topic, Ofcom noted the difference in the level of egress charging between the largest providers and other providers in the market. Ofcom also observed that the largest providers do not charge for data ingress (i.e. the effective price is zero) – effectively meaning that the largest providers have an incentive to make it easy and cheap to move data into, as opposed to out of, their cloud. 

In referring the issue of egress charges to the CMA, Ofcom identified three possible outcomes in respect of their treatment: (i) Equalise egress fees with other charges (e.g. no higher than data transfer costs within a single provider’s cloud) (ii) Place a price control that restricts egress fees to “at cost” charges, or (iii) prevent providers from charging any egress fees.

The EU is in essence now already moving in the direction of the third of these outcomes, with the Data Act requiring that cloud service providers shall not impose any switching charges on the customer, including data egress charges, three years after the entry into force of the regulation. Providers can charge reduced switching charges (which may reflect costs incurred) for three years from the entry into force of the regulation. Providers are also required to make information relevant to any charges easily available to customers.

A notable exception to the general position on egress charges at EU level is in relation to multi-cloud services, where providers may continue to charge for data egress for the purposes of ‘in-parallel use’² beyond the abovementioned transition period, but not exceeding the costs incurred. This is due to the benefits of interoperability – it is recognised that the egress of data from one service provider to another to facilitate in-parallel use of services can be an ongoing activity, in contrast to the one-off egress required as part of switching process. It is also recognised that this multi-cloud strategy for financial institutions is consistent with the objectives of the EU’s Digital Operational Resilience Act (DORA).

3. Future regulatory oversight

The EU Data Act envisages that Member States will designate one or more competent national authorities to ensure the effective enforcement of the regulation. 

The types of issue now being considered in the cloud market are ones that have been commonplace in electronic communications markets for many years (albeit that interoperability has not been a significant issue given the prevalence of industry specifications and the adoption of subsequent standards). In relation to portability, the European Electronic Communication Code sets out the current regulatory framework which governs switching in electronic communications markets, which has evolved over time and which is overseen by national regulatory authorities for electronic communications. There have also been many years of EU regulation to reduce the charges of different categories of electronic communications service.

If experience from the electronic communications sector is anything to go by, plenty of implementation questions will remain relevant to both portability and egress charges, suggesting that national regulatory authorities for electronic communications could also have an important role to play in regulatory oversight of these provisions going forward. These bodies would seem well placed to be designated competent national authorities under this regulation. It would seem wise for cloud service providers to prepare for such regulatory engagement going forward.

The Data Act also envisages an important role for the newly established European Data Innovation Board to assist the European Commission in ensuring both a harmonised approach and the adoption of any delegated acts relevant to, for example, monitoring of switching charges. This raises the question regarding the role of the Body of European Regulators for Electronic Communications (BEREC), whose remit is to contribute to the development and better functioning of the internal market for electronic communications networks and services. Issues relevant to portability and charging of cloud services would appear very relevant to BEREC’s remit, so they may also be expected to have a role to play (indeed, BEREC’s recent draft 2024 work programme confirms that they intend to adopt a report on cloud services and edge computing during the year, which will consider the “competition implications of the increasing concentration of the public cloud market in Europe").

Conclusion

It is now clear that additional regulatory oversight is being introduced into the cloud services market, which has strategic implications for customers and cloud service providers alike. 

Customer implications

1. This regulatory activity is designed to benefit customers. Most obviously, cloud customers will have a new right to portability in the EU, at a reduced cost. Customers should factor these considerations into their strategic decision making going forward. 
2. More specifically, customers should consider which elements of their cloud service stack they may wish to port once the new EU rules apply (expected to be late 2025). Where possible, in dialogue with cloud providers where required, they should also familiarise themselves with the current status of technical specifications relevant to the interoperability of these different elements (with the EU regulation containing provisions to enhance transparency in this area). This will ensure they can benefit from these provisions where technically feasible. 
3. Where the contract with the cloud provider includes both the UK and EU countries, customers should consider their approach in the round, mindful of the different regulatory processes in respect of each.

Cloud service provider implications

1. At EU level, providers will likely see this new regulation as either an opportunity or a threat, depending on their market position. Irrespective, providers within scope (which appears broad) will need to put in place a variety of contractual, operational, commercial and technical changes in order to address the new requirements. Pricing strategies will need to be reviewed in the round.  
2. Providers active in the EU and UK will obviously be reflecting on their UK strategy in light of the CMA’s ongoing market investigation, due to conclude by April 2025. Although there is similarity in the concerns expressed at both EU and UK level, there are differences in scope. In particular, it would be surprising if any UK intervention did not solely focus on the largest providers, unlike the EU approach. 
3. In terms of regulatory oversight at EU level, providers should prepare for oversight by the competent authorities that will be designated at national level. Understanding priorities and developing an appropriate strategy will be key to constructive conversations. In the UK, there may also be a case for ongoing regulation, depending on the outcome of the CMA’s investigation. Whatever the outcome, it seems clear that this market will be subject to increased levels of regulatory scrutiny for some time yet.

References

¹ For completeness, the CMA has confirmed that further to the referral from Ofcom it is also investigating whether the licensing practices of certain cloud service providers disincentivise customers from using rival providers and consequently reduce competition or raise barriers to entry in cloud services.

² This is described as relating to situations where customers do not terminate a contractual agreement to switch to a different provider of data processing services, but where multiple services of different providers are used in-parallel, in an interoperable manner, to benefit from the complementary functionalities of the different services in the customer’s system set-up.