What the DMA review actually changed for your cloud and AI stack

The headline coverage of the 28 April Digital Markets Act review told you that the DMA was being expanded to cover cloud and AI. That is not what happened.

What the Commission actually published is a review concluding that the DMA, as written, does not need amendment. No new core platform services have been added. No new gatekeepers have been designated. The list of obligations stayed exactly where it was on 27 April. What did move is enforcement focus, and that focus now points at cloud providers and certain AI services that already sit inside the existing scope.

For an EU mid-market firm running a typical AWS or Azure stack, the distinction matters. The date worth pinning to your governance calendar is not 28 April 2026. It is November 2026.

What the Commission actually decided

The review confirms three things.

First, the regulation stays as drafted. Article 7 will not be extended to social networks. Generative AI will not be added as a new core platform service. The Commission concluded it would be premature to legislate further until existing obligations have settled.

Second, three cloud market investigations opened in November 2025 are running. Two are gatekeeper-designation assessments, one for Amazon Web Services and one for Microsoft Azure. A third assesses whether the DMA can effectively address contestability problems in cloud more broadly. Cloud has been a listed core platform service since 2022 but no provider has yet been designated; that is the gap the investigations are intended to close.

Third, the Commission is now assessing whether some AI services should be designated as virtual assistants. Virtual assistants are already a core platform service under the DMA; like cloud, they have not had a designation. Putting one in place would not require legislative change, only an administrative finding that a particular service meets the existing thresholds.

If you want one source for the whole picture, Tech Policy Press has a careful analysis that holds up against the Commission’s own staff working document.

Why November 2026 is the date you actually need

Cloud designation decisions are due by November 2026. The third investigation, the one that may produce a recommendation to modify the DMA itself, is not due until May 2027.

For an EU SME, the order of operations is straightforward. First, the Commission decides whether AWS and Azure are gatekeepers. Second, if they are, the existing DMA obligations attach to whatever services were assessed. There is no further legislative step in between, which is what makes November a real date rather than a scenario.

What changes if AWS or Azure is designated

A designated cloud gatekeeper would inherit a defined set of obligations under the DMA. Three of them matter most to a B2B services firm.

Article 6(7) interoperability

The Commission has explicitly said it is investigating whether 6(7) can be applied to cloud. If it is, designated providers would be required to grant equally effective access and interoperability to third-party services running on their infrastructure. For a firm that has built around proprietary AWS or Azure managed services, this is the obligation with the largest commercial consequence.

Contractual fairness

Designated gatekeepers cannot impose terms that lock business users into their own services or restrict switching. Most current cloud contracts contain at least one clause that would not survive that review.

Data portability

Customers must be able to extract their data in a usable, portable format. Data Act portability rules already pull in the same direction; designation would put DMA-grade enforcement teeth behind it.

The honest reading of these obligations is that none of them break a typical SME stack on day one. They change negotiating leverage at renewal and they change the cost of staying on a single provider. That is enough to plan around.

Stacking with the AI Act and GDPR

If a virtual-assistant service is designated, gatekeeper obligations stack on top of AI Act provider and deployer duties under Articles 9 to 26. They also stack on existing GDPR vendor management requirements. None of that erases the others; you simply hold three regulatory hats over the same vendor relationship. We have written about the broader vendor governance picture in the Anthropic case, and the structural lesson holds here: provider concentration is now a regulated risk, not just a procurement preference.

This is also a different mechanism from the DSA platform designation question we covered on 14 April. DSA designation pulls in content and systemic-risk obligations; DMA designation pulls in interoperability and contractual fairness. A vendor can sit under one, the other, or both.

Three things to do in the next 60 days

One, identify which of your AI and cloud providers fall inside the live investigations. AWS and Azure are obvious. Anything built on top of them, including most enterprise AI tooling, inherits the same uncertainty.

Two, document switching costs and exit pathways for each. The work is dull and exactly the work you wish you had done last year. Treat it as a procurement-grade artefact, not a slide deck.

Three, brief procurement and legal on November 2026. The next contract you sign with AWS or Azure should already assume the designation outcome could land before the term ends. Our SEAL framework guide and the sovereign-cloud label piece cover the procurement language that travels well across both DMA and sovereignty conversations.

The DMA is not expanding

The investigations are narrowing. For an EU mid-market firm, that is more useful, not less; you now know which two providers and which service categories sit at the centre of EU competition enforcement for the next eighteen months. November is in the diary. The work between now and then is the kind that pays off whichever way the Commission lands.