Cloud computing market: dark clouds ahead or a European silver lining?

Cloud computing¹ ("cloud") represents one of the main technologies empowering businesses across the world to achieve their digital ambitions, stepping ahead of their competitors. Indeed, cloud technologies offer enormous potential to reduce costs and add capabilities to business and personal activities. It is therefore unsurprising that, on the one hand, the cloud sector is expected to exceed $1 trillion globally by 2028 and to experience growth at a pace of 12% per year,² and on the other hand, has caught the attention of competition authorities worldwide.

With its promises of greater security, scalability, savings and better accessibility compared with traditional methods of data usage, the cloud is becoming a must-have for all areas of modern life. The unprecedented pace of the evolution of artificial intelligence ("AI") and the rise of its countless business applications will additionally drive growth in demand for cloud services in the future.

However, as society increasingly depends on these cloud systems across varied sectors, a robust and agile framework is needed to safeguard the cloud market. Into this framework feed several complex considerations such as data use, privacy, cybersecurity and competition law. Homing in on the latter, key characteristics jump out: the market players are small in number but strong in capabilities and operate in a global way. Indeed, the cloud sector is inherently cross-border: by definition, data is stored and backed-up quite possibly thousands of miles away, as it can be accessed at any moment regardless of location. As such, experience might suggest that a single, or at least widely coordinated response could be key to effective regulation, to the benefit of both consumers and businesses. That would indicate that in Europe at least, the European Commission (the "Commission") should be at the forefront in this sector, as it has been with much of its work in the wider digital sector. In this spirit, various stakeholders expected the new Digital Markets Act (the "DMA")³ to impose stringent obligations on so-called 'gatekeepers' in the cloud sector, as cloud services are listed as core platform services.⁴ Still, no such designation has yet been made.⁵

In contrast, national competition authorities ("NCAs") around the world are stepping up and getting to grips with the competition challenges the cloud market gives rise to. This article focuses on the recent opinion⁶ by the French Competition Authority (the "FCA") into the cloud market (the "Opinion"). First, we explore key findings. We then delve into the issues that might emerge from these observations, in relation to the work of other NCAs and at the European Union ("EU") level, and further afield, going forward.

2. Introduction to the FCA opinion

On 29 June 2023, the FCA released its Opinion on competition in the cloud sector. It is non-binding in nature: it is not a statement of the law in this area, nor does it look at compliance or contravention by any specific business. Instead it focuses on the market in a holistic way. That said, in practice the Opinion is likely to be a persuasive point of reference and already seems to be the catalyst for enforcement action as well as laying the ground for future advocacy in this area.

The Opinion provides 184 pages of detailed analysis of what the FCA identifies as actual and potential challenges in France in this area. The Opinion adds to the growing body of thought leadership about the cloud by authorities around the world but stands out as it goes a little further in the competitive analysis of such a sector.

The Opinion is a cumulation of an intense period of work for the FCA, coming a year and a half after it started proceedings 'on its own initiative'⁷ and a year after opening its public consultation.⁸ During that time, the FCA held numerous interviews, conducted hearings and sent out requests for information ("RFIs") to private players, including both suppliers and customers. It also kept in close contact with the various authorities including national sector regulators and other competition authorities working on the subject.

3. Market Background

Cloud is essentially a business-to-business ("B2B") market. In general, a distinction is made between three main categories of cloud services: IaaS (infrastructure services), PaaS (platform services) and SaaS (software services), each corresponding to a different allocation of responsibilities between the cloud (service) provider and the customer.

Different main types of market players along the cloud value chain can be identified:

• Data centre operators: located at the upstream level of the cloud sector, these players provide the physical infrastructure needed to supply cloud services. Cloud service providers often rent the physical space they need and do not build these capacities on their own, as it takes several years and major investments to build a single infrastructure. Renting data centres can amount to a significant part of costs incurred by cloud providers.
• Hyperscalers: even if they do not form part of a homogeneous group, and stakeholders do not all agree on categorizing them as such, these cloud providers share common features, such as being well-established digital players which have leveraged their financial resources and internal needs to create large-scale services globally available which ultimately belong to an ecosystem.
• Pure-players: these cloud providers mainly operate in cloud services and have little to no presence in other markets. Some of them tend to cover the majority of business needs while some others focus their offer on specific services and tend to specialise either in IaaS or PaaS. The latter have the specificity to be both cloud providers and cloud customers.
• Trusted (or sovereign) cloud providers, who stand out for their ability to offer certified, highly secure services to customers for whom security is absolutely critical.
• Integrators: at the downstream level of the cloud value chain, integrators support companies in the transition of their IT resources to the cloud. This business is key in helping cloud customers to choose the right services and providers and in smoothly integrating cloud solutions in their IT systems. Integrators are also positioned as resellers of specific cloud services. The integration activity is overwhelmingly taken on by digital services companies and demand for that kind of services is constantly rising.

Finally, some cloud providers offer marketplace services, ie, a platform where other cloud providers and independent software publishers can offer their own services to customers. Hyperscalers operating cloud marketplaces do not sell their own services on it and third-party sellers generally offer similar services as the marketplace operator. This channel amounts for a tiny proportion of revenue generated by cloud services.

It is thus evident that the French cloud market is layered with complexity from a market player perspective. This creates competitive opportunities between players, but also risks, with smaller market participants having to navigate around the strength of larger actors, who in turn must consider the impact of their market position on others.

4. French Context

In France, both the national competition authority and the government have made it a priority, to understand and consider what might need to be done to ensure the healthy functioning of the cloud market. This is not surprising given that in France, the cloud industry is expected to reach €27 billion by 2025, with an average annual growth rate of 14%.⁹ However, the use of cloud services in France is lagging behind compared to several other European countries: in 2021, 19% of companies had adopted cloud services compared to an average of 41% in Europe.¹⁰ As a result, the first mover advantage is very real in France, and the FCA has the chance to intervene at the early stage in the development of this nascent market, learning lessons from others and setting the stage for future developments.

Further to a request by a French Deputy Minister to look at provisions related to cloud services in a new draft law, the FCA released a (separate) opinion on 20 April 2023.¹¹ This set out specific recommendations designed to draw attention to the need for consistency with the European regulatory framework (namely the DMA, Data Act¹² and Data Governance Act¹³ which has recently been adopted. Subsequently in May 2023, the French government proposed a draft law to secure and regulate the digital space. This is currently going through the approval process of the French National Assembly.¹⁴ It aims to tackle competition issues which the cloud market triggers, in a way which takes into account the specificities of the French market and the respective competences and prerogatives of the authorities involved, both at a national, and European level.

The Opinion of 29 June 2023 therefore came against a busy legislative and policy background, which it both fits into, and stands out from.

5. Key FCA Findings

In its detailed Opinion, the FCA makes several observations about the overall functioning of the cloud market in France. The FCA examines both the bigger picture in terms of how cloud storage fits into a larger digital world, and more narrowly on issues such as market players and features. Key to the FCA's findings is an emphasis on the limited likelihood of a new player entering the cloud market and rapidly gaining market share. This is all the more the case as hyperscalers enjoy competitive advantages which allow them to enter the market, and then exercise significant market power. These features – unrivalled financing capabilities to invest in infrastructures and new service offerings, economies of scale and scope, access to a pre-existing customer base – are difficult for others to replicate or compete with.

In addition, the FCA interestingly pointed out that the major providers are built as “cloud ecosystems”, providing customers with a full range of integrated services. This business model gives them a significant competitive advantage over providers of a more limited range of services, as customers tend to choose a provider that will cover their entire needs. For all these reasons, competition for the market is strong, but the FCA finds competition in the market already much more limited.

In the light of these observations, and evident recognition that more needs to be done, the FCA proposed a practical framework to define relevant markets based on user needs determined by customers workloads. This is an innovative way of considering such a market compared to previous case-law and other sector inquiries (see section VII below). According to the FCA, a possible further market segmentation could be by distinguishing sovereign (or 'trusted') cloud services, in the event cybersecurity cloud certifications are considered as barriers to entry (see VIII below). It is no coincidence that the FCA has gone one step further, as this framework can subsequently be used for enforcement-based investigations, which may ultimately lead to penalties and significant changes in ways of working.

In terms of more specific market features, cross-market competitive hazards identified by the FCA include:

• risks related to imbalances in contracts and negotiations between cloud suppliers and customers;
• free 'cloud credits'. These are granted by the cloud provider to a potential customer for a certain time and price, to allow them to discover the cloud provider services and to start building their IT infrastructure. This practice runs the risk of locking a customer into the 'cloud ecosystem' of its initial supplier, especially if credits are combined with free coaching and training programs; and
• 'egress fees'. These are charged when a cloud customer switches its data from one cloud provider to another. Their unforeseeable costs can discourage customers from using services offered by several cloud providers simultaneously or from switching to an alternative provider. It may therefore constitute a significant barrier to multi-homing (using several suppliers for a single workload) and entails a high risk of locking customers into the services of a single provider.

Specific competitive risks were then identified based on distinct time scenarios: (i) when a customer first starts using the cloud, (ii) during the customer migration from one cloud provider to another, and (iii) barriers to expansion for hyperscalers' competitors.

In terms of how to handle these challenges, the Opinion noted that on the antitrust side at least, the most obvious tool to use is the prohibition on abuses of a dominant position, as per Article 102 of the Treaty on the Functioning of the EU (the "TFEU") and Article L420-2 para 1 of the French Commercial Code. The FCA went further, suggesting that this could be bolstered using interim measures. Indeed, this latter is an area where the FCA has significant experience to draw on.

The FCA flagged that merger control also has a role to play in the regulation of markets in this sector, as acquisitions can reinforce the market power of players who are already well established potentially by absorbing innovative smaller players. It also observed that, despite some significant acquisitions in the sector, most have not been subject to scrutiny by competition authorities. Finally, it pointed out that recently revived tools can remedy this situation, such as the referral mechanism provided for in Article 22 of EU Merger Regulation 139/2004 ("EUMR"),¹⁵ and the recent case law of the Court of Justice of the EU, which has held that an acquisition can be analysed a posteriori as an abuse of a dominant position in certain circumstances.¹⁶

The FCA's powers to regulate abuses of economic dependence could also prove a convenient tool for action in this area, as it does not require an analysis of a player's dominant position in the market. Rather it is based on the specific nature of a player's commercial relationships with upstream or downstream partners.¹⁷

It is important to note the attention given by the Opinion to AI and the cloud sector. AI is relatively briefly mentioned, towards the beginning in the sector description and again towards the end, as the Opinion looks forward to future developments. In terms of the latter, the Opinion notes that the rise of AI will likely drive up even further, demand for cloud storage. However, the Opinion stops short of unpacking in a detailed way synergies between AI and cloud storage in its substantive competitive assessment parts.

The Opinion concludes that the FCA is well-equipped to act on competitive risks in the cloud sector using its existing tools. However, market failures are probably best addressed by specially tailored regulatory tools at an EU level, such as the DMA and the EU Data Act.

6. Reflections on the FCA opinion

In its Opinion, the FCA placed considerable emphasis on the risk of abuses of a dominant position in the cloud market. Whilst many key digital players have found themselves subject to scrutiny under these rules in the past few years, it could lead us to wonder whether the application of the other main competition prohibition, ie the prohibition on anticompetitive agreements or practices, has any place in future competition enforcement in the cloud market? Whilst traditionally, the kind of behaviours which might be problematic from an anticompetitive agreement perspective are mainly encountered in mature markets, it would seem short sighted for cloud players not to ensure compliance in respect of both main competition law requirements, and somewhat surprising that the FCA has only dedicated 2 pages of its long report to this issue.

Focusing on abuse of dominance being the relevant 'tool', the FCA's innovative approach to delimiting relevant cloud markets leads us to wonder whether it might create new kinds of alleged abuses. On the one hand, the wording of the legal text and the case law of Article 102 TFEU certainly allow for this. In the same vein, the technicality and complexity of the cloud sector could constitute fertile grounds for imaginative theories of harm. On the other hand, given the FCA's concern about the difficulty of bringing abuse of dominance cases, in part due to the very stringent evidentiary standards, one can question whether in practice the FCA will ever really act in the cloud sector on this basis?¹⁸ Given the extremely complex technical nature of cloud markets, it will take a brave authority to attempt to prove dominance, abuse and anticompetitive foreclosure. Certainly in this context, it would be important to recall that holding a dominant position in itself is not prohibited: to some degree, it is the sheer market power of certain cloud players that allow them to offer real consumer benefits that materially enhance user experience such as integrated platforms, centralised security, and software services on one unified infrastructure. Furthermore, many of the supposed problems with the cloud market flagged by the FCA in its Opinion are not necessarily triggered by the deliberate behaviour of the firms in question, but arguably more a natural and potentially inevitable consequence of storing data remotely and the wider digital ecosystem.

In any case, even if the FCA was to try and intervene on the cloud market on the basis of abuse of dominance provisions, could this realistically deliver the kind of market changes required? Typically abuse cases result in financial penalties or commitments by the specific player in question to behave in a certain manner going forward. Such an outcome does not really address the kind of cross-market problems flagged in the French Opinion. 

The other key tool for intervention by the FCA is of course merger control. Given its ex ante nature, this in principle is well suited to intervene in dynamic digital markets before any supposed competition problem gets entrenched. The FCA has announced that it is looking at options for strengthening its merger powers even further and in particular, to be better adapted for interventions in digital markets where traditional concepts do not work, or only with difficulty. That said, whilst the FCA's Opinion would certainly help in terms of possible market definition and context, given the turnover figures likely to be involved, the Commission's one-stop shop jurisdiction for the largest mergers, bolstered by its recently invigorated ability to call in mergers under Article 22 EUMR, will probably reduce the chances for the FCA to intervene in the face of consolidation in the cloud market.

Whilst the FCA has said that it is considering its own next steps after its work on this Opinion, and it might well be useful groundwork for future studies the FCA is required to do into AI, more immediately it is hard not to spot that the FCA's approach has moved from one of neutral learning, to enforcement. Soon after the Opinion was published, the FCA's General Rapporteur made it clear that the FCA's investigation services were assessing the evidence gathered in the Opinion to consider whether an antitrust investigation is warranted.¹⁹ Shortly after that, the FCA's investigation services carried out a dawn raid at the premises of a graphics card company, a sector particularly relevant in the cloud industry. ²⁰ Whilst these investigations are at the early stages, and there is no guarantee that the FCA will take these projects any further, their timing on the back of the Opinion seems significant. Nevertheless, it is important to bear in mind that the FCA will need to carry out a more in-depth analysis before it can reach any formal infringement findings. The fact that the FCA carried out an inspection in the graphics card sector and not directly in the cloud sector supports this hypothesis. Moreover, the Dutch competition authority, which had initially announced the forthcoming opening of a formal investigation into egress fees when it released the results of sector inquiry, withdrew its decision a few months later (see VII below). This might indicate that NCA enforcement work in this area is riddled with challenges, even though many of them are keeping a close eye on it.

7. Other NCAs

The French Opinion is very timely as other NCAs have already tackled, or are in the process of tackling, this subject. Globally, NCAs broadly agree on the main competitive concerns raised by the cloud sector, particularly regarding market foreclosure.

Arguably the first mover in this area was the Dutch Autoriteit Consument & Markt (the "ACM"). On 5 September 2022, it published its findings as well as proposals to enhance the Data Act draft.²¹ The ACM then launched a formal investigation into barriers to switching, but ultimately abandoned the idea, considering more appropriate tools such as the EU Data Act should provide a better structured and swifter response.²²

More recently, the Portuguese Competition Authority echoed these concerns, noting in its report into competition risks in the generative AI sector that digital markets characteristics 'may raise risks to competition, particularly exclusionary strategies, in the markets for cloud computing, hardware and Generative AI models.' In particular, the Portuguese Competition Authority noted that the birth of generative AI models has been made possible by the mastery of sophisticated hardware such as cloud technologies, and as these models are hungry for data and computing power, cloud capabilities are bound to expand ever further. It also stressed that the largest digital players are already offering foundation models as part of their own cloud services, increasing the incentive for customers to centralize all their IT needs with a single provider. In summary, cloud computing turns out to be an essential input for providing customer-appealing AI models, and as such should be a priority to maintain competitive dynamic in markets for nascent pioneering technologies.²³

As recently as November 2023, the Spanish Competition Authority announced that it had decided to open a market study into the cloud market with familiar concerns flagged such as market concentration and barriers to switching. It will then propose a series of recommendations aiming at promoting a more competitive environment.²⁴

Staying close to Europe, in the UK, Ofcom – the communications regulator – has been looking at the cloud sector for some time, issuing a call for input on 6 October 2022 and publishing an interim report on 5 April 2023.²⁵ While releasing the latter, Ofcom announced its decision to refer this sector inquiry to the Competition & Markets Authority (the "CMA") for further in-depth investigation, given, in part, to the complex competition matters involved. In so doing, Ofcom identified three main 'cloud' practices that it considered merit further scrutiny. These closely align to findings of other NCAs: the cost of egress fees, technical restrictions on interoperability and committed spend discounts (what the FCA calls cloud credits). On 5 October 2023, the CMA announced that it was launching its own market investigation, to consider whether there are features of a market that have an adverse effect on competition and if so, what might be appropriate solutions.²⁶ Interestingly, and potentially benefitting from coming to the cloud party a little later than others and therefore able to pounce on the uptick in AI, the CMA “will consider the potential impact of AI on how competition works in the cloud services market.”

Over 2024 and into the first quarter of 2025, the CMA will have a mixed disciplinary team dedicated to looking at whether competition in the cloud market is working well, and if not, what should be done about it. Responses received by the CMA to its issues statement are quite varied but echo a lot of the issues flagged by other regulators already. For example, in respect of lock-ins and lack of interoperability.  The timing of the CMA's market investigation is particularly interesting, given that the UK's version of the DMA, the UK Digital Markets, Competition and Consumer Bill is relatively likely to come into force during this timeframe. If that happens, and cloud providers are characterised as having Strategic Market Status (the equivalent of Gatekeepers under the DMA – see further below), it might be that the CMA is in a position to impose obligations on cloud service providers on the basis of its new digital powers, before any other regulators. If however the CMA continues with its traditional market investigation tool, unlike other national advisory procedures, it has an arsenal of relatively radical remedial powers, including proposals for legislative intervention or even structural changes in the main market players. However, remedies as draconian as the latter are unlikely, given the need to tread carefully in this nascent market where the CMA will be concerned not to impose measures which potentially or actually stifle innovation. Indeed, perhaps the consensual approach to a code of conduct for cloud providers focusing on increasing / improving market transparency, interoperability or industry wide standards seems more likely.

Further afield but not to be neglected, on 28 June 2022, the Japanese Fair Trade Commission (the "JFTC") released its report on cloud services.²⁷ It interestingly raised concerns about the likely imposition by cloud providers of price parity clauses on cloud marketplaces. Indeed, the latter are services proposed by mostly hyperscalers where the cloud provider sells its own services and those of third parties to customers. Like other online platforms, cloud marketplaces have the distinctive feature of constituting a two-sided market on which the cloud provider plays a double role of seller and intermediary.

The Korean Fair Trade Commission (the "KFTC") published its cloud sector survey on 28 December 2022.²⁸ It makes similar observations to those of the FCA, such as noting the highly concentrated markets – which are bound to become even more concentrated in coming years, the tendency of customers to concentrate their workloads with one or two providers at most, the lack of interoperability between services of different providers, and the unpredictability of data transfer costs. As a result, the KFTC planned to establish a policy direction to set expectations, and to regularly monitor conducts.

Keeping going round the globe, in the US, the Federal Trade Commission ("FTC") also made clear that it is interested in cloud-related matters, sending out RFIs in March 2023.²⁹ In parallel, the FTC organised a webinar during which the Chair, Lina Khan emphasised that, at the FTC, they "want to make sure […], that [they are] fully understanding, what are the factors that are leading the market to be so concentrated in the hands of a few companies? And also, what are some of the downstream risks that might stem from that, that need to be on [their] radar, both on the competition side, as well as on the consumer protection and data security side?".³⁰ The FTC received over 100 responses to these RFIs, which seem to largely echo concerns outlined in the FCA Opinion, ie software licensing practices, egress fees to leave services and minimum spend contracts. Interestingly, when indicating potential next steps, the FTC underlined the need to take a multidisciplined and joined-up approach to handling concerns in the cloud market including consumer, data privacy and security regimes. In perhaps a new idea for the debate, government leverage in procurement contracts with the largest cloud players, was also flagged as a potential tool to use in reigning in significant market power on cloud markets.³¹

Reflecting on this global flurry of activity, it has been over two years now that competition authorities around the world have been grappling with the cloud sector. They have significant shared concerns. Against this backdrop, the Commission's response is maybe a little surprising.

8. European perspective

The EU's Data Strategy has several proposals to develop 'interoperable cloud and edge services to support the building of common European data spaces.'³² The goal is for 75% of enterprises based in the EU to be using cloud computing services, big data, and artificial intelligence by 2030. In this context, the recently agreed EU Data Act³³ contains new specific binding requirements governing all cloud providers, related to:

• the imposition of minimum regulatory requirements, to enable cloud customers to switch from one service to another;
• the creation of European standards for interoperability between cloud services; and
• mandatory safeguards to protect data held on cloud infrastructures in the EU, to avoid unlawful access by non-EU governments.

Many of these provisions are expected to apply from late 2025 and should lead to some significant changes in the cloud market. For example, barriers to switching are widely defined and are not just limited to technical aspects. They encompass for example, commercial, contractual and structural barriers. However, cloud providers have escaped some of the new rules in the Data Act, especially around data sharing, as they have not (yet) been qualified as gatekeepers under the DMA.

In addition, as every European country is taking steps to build its own cybersecurity scheme for cloud computing services, the EU "Cybersecurity Act"³⁴ has been adopted in 2019 to avoid fragmentation in the European market. This regulation provides for the creation of a single cybersecurity scheme at the European level, namely the European Cybersecurity Certification Scheme for cloud Services (EUCS). This scheme should ensure a very high level of cybersecurity, but also encourage the location and processing of data hosted in the EU. It is designed as well to guarantee immunity of data generated within the EU against the extra-territorial application of foreign laws that are conflicting with EU principles, particularly with regard to privacy. This last criterion is at the heart of debates between Member States, and the reason why no agreement has yet been reached. Indeed, there are concerns that the EUCS might actually end up fragmenting the EU digital single market because of its potential to exclude certain cloud players for nationality-based reasons.

This uncertainty prompted several non-European cloud providers to push forward partnerships with European players known for their focus on cybersecurity, to eventually provide "trusted" cloud services. To be operational, these "sui generis beasts" must first obtain the highest security certifications, which is far from obvious given the above. Some of these projects are built as joint ventures and require prior approval from competition regulators under merger control rules.³⁵ However, merger control carried out in this kind of context is unlikely to operate as a robust safeguard of competition in the cloud market. The analysis is / would be limited to an analysis focused on the specific question of significant lessening of competition in probably relatively narrowly defined markets, with no or only minimal horizontal overlaps, which would be unlikely to give rise to any material concerns. 

Against this background, one could have expected the Commission to seize the opportunity of the DMA to include cloud players within its purview to ensure 'fair and contestable' cloud markets. So far, the DMA's quantitative thresholds have not allowed any cloud services to be designated despite cloud being envisaged as a relevant core platform service. This seems to be because there are not enough active end users.³⁶ Indeed, the DMA's architecture is centred on a platform's number of end users – a concept which is hard to apply to cloud services which are inherently B2B. Whilst it would be wrong to shoehorn cloud services into a numerically based framework into which they cannot fit based on a sensible reading of the relevant texts, it is perhaps an early indication of the shortcomings of the DMA, that it seems poorly adapted to capture in practice the kind of services it seems to acknowledge should be within its scope.

Designation of cloud services via the alternative qualitative route under the DMA seems possible.³⁷ This would require consideration of several different factors, including many which the FCA flagged as significant in its Opinion: network effects, barriers to entry, advantages arising from data, scalability and difficulties with changing providers. We are not, however, holding our breath for this to happen any time soon given that this was not announced alongside the one current qualitative market investigation, and the huge amount of other important work the Commission has already undertaken in this area.³⁸

That said, there is some pressure on the Commission to proactively act in the cloud market from a regulatory and competition perspective, to match its work in other digital sectors. There have been high profile expressions of regret and even concern, that cloud services have not so far formed part of the designation of core platform services.³⁹ Moreover, the issue of the Commission regulating (or not) the cloud activities of the biggest digital market players is political. Smaller European cloud providers seem anxious of the EU cloud market relying to such a degree on American cloud service companies. It is therefore potentially unsurprising that less than 12 months after it has come into force, the President of the FCA has called for the DMA to be amended to tackle cloud services.⁴⁰

Of course, just because cloud players are not designated under the DMA does not mean that they escape the Commission intervention on competition grounds. In theory, Article 102 TFEU remains in the toolbox ready for the Commission to seize, but in practice the Commission is not rushing in to do so.⁴¹ Moreover, the clunkiness of a traditional 102 enforcement analysis seems maladapted to the swift moving cloud market. Indeed, even since the French Opinion, some of the debate in this area has already moved on to how cloud storage sits alongside AI, and the potential concerns that might give rise too. For example, is there a risk that the small number of large cloud players might reserve cloud access to their AI tools?⁴² The comparatively nimble DMA is largely thought of as overtaking Article 102 TFEU as the Commission's default tool in the digital sphere⁴³ and there have been high profile comments about the inadequacy of traditional competition tools to effectively regulate the online economy.⁴⁴

Similarly, should a merger in this sector occur, and the relevant thresholds be met, the Commission might get the opportunity to intervene on the basis of its merger control powers. Indeed, like several other competition authorities around the world, it looked at consolidation in the cloud gaming market last year.⁴⁵ Whilst the potential consequences of this kind of intervention might be significant not only for the merging parties but also consumers and other market players, the EU merger rules are neither designed for, nor well adapted to, dealing with cross-market issues such as lack of transparency and problems with switching. Supposed problems, such as those flagged by the French Opinion, arise from the fact that a small number of market players allegedly have too much market power. Whilst preventing them via merger control from gaining more market share, or entrenching it further, might go some way to 'slowing the spread' of their market presence, it would not be able to make them change the pre-merger status quo. In any case, given the players at stake, any merger intervention in the cloud sector is likely to arise in a 'killer acquisition' context, where one of the bigger established cloud players is trying to acquire a little innovative start up. The focus of any merger analysis would therefore probably be mainly on vertical overlaps, where more often than not, any concerns linked to the concentration are likely to be resolved in practice.⁴⁶ Finally, it is worth remembering that one of the most powerful catalysts for the new digital rules in both Europe and the UK, were high profile concerns about the short-comings of existing merger control rules, and indeed antitrust tools, to tackle the problems digital markets including the cloud, give rise to. A new solution is required.

For all these reasons, it would be surprising if the Commission does not prioritise its work in the cloud market space over the next few years, given expectations that it must flex its enforcement muscles, not just its policy and advocacy ones. This is a particularly timely issue now that specific concerns have been flagged by several different competition authorities. Indeed, one could look with some concern on the apparent potential imbalance between the Commission's advocacy in the tech sector and its actual enforcement recently. By way of illustration, for three years, the Commission imposed no fines for abuse of a dominant behaviour but has been extremely busy discussing policy in that area.⁴⁷ In comparison, several NCAs including the FCA have handed down enforcement decisions and in some cases, imposed significant fines. As Nuno Cunha Rodrigues, President of the Portuguese Competition Authority, recently said, '[o]ne of the key elements to an effective competition agency is to achieve a right mix of advocacy and enforcement. A mix where both dimensions are mutually reinforcing'.⁴⁸ This current apparent imbalance, raises the broader question of whether the role of competition authorities is gradually shifting from enforcer to a more empowered role akin to a legislator?

However, given the challenges with enforcing competition rules against cloud players (see above), and the lack of 'teeth' of the Commission's sector inquiry tool, could this be an unexpected opportunity to revive the discussion of the abandoned New Competition Tool,⁴⁹ which was overtaken by the DMA and the DSA (Digital Services Act)? ⁵⁰ Now, discussions on this topic could be reopened, taking into account not only feedback received from the past consultation on a new tool, but also lessons learnt already from the new EU digital regime. This seems fitting given where the new European digital rules have landed: a list of 'dos and don'ts' for the largest digital players as they offer specific digital services. There is still no tool which allows the Commission to look across markets in a more rounded way and impose remedies which have true impact, other than the [old] sector inquiry tool, which makes noise, but arguably drives no real market change. The timeliness of this option is also worth reflecting on, given the need for very careful interventions in the cloud market. A recurring theme of the advocacy work carried out by the NCAs into these emerging markets has been the need for more transparency and more interoperability. To deliver this in practice, regulators need to work with the companies involved and indeed a wider pool of effected stakeholders to work out how to improve market functioning across the piece. Both need to learn from each other. Targeted action 'against' specific companies ordering specific behaviour does not seem to be the right solution, and risks dampening innovative flair in a market where this is crucial for future competition.

Whilst the Commission considers its next steps in relation to the cloud market, two questions arise. First and most immediately, the potential European lacuna begs the question - where will this leave NCA work into the cloud sector? Secondly, is the absence of a European regulatory tool or enthusiastic authority jumping in on these issues necessarily a bad result for businesses and consumers? A NCA handling perceived competition problems in the cloud sector on the basis of national rules may be preferable to the Commission doing so in certain circumstances, such as for example, the strong national ground preparation it can lay for swift and targeted enforcement action. Certainly, the FCA's Opinion shows that NCAs have a lot to contribute to this debate. As things stand, the FCA and the Dutch ACM are arguably the European thought leaders in this space for the time being, noting several other European NCAs have also been active in this sphere.⁵¹ This is however somewhat ironic given that both the FCA and the ACM have flagged that the Commission seems to be the best placed to deal with cloud market challenges. Indeed, whilst there seems agreement on the main points, differing ideas about the best way forward in these inherently supra national markets risk fragmenting the EU internal market and undermining the whole idea of a single European digital market. As such, leaving the NCAs to regulate this market alone, does not seem ideal, and a joined-up approach offers several advantages.

9. Concluding remarks

The way in which the FCA has taken the initiative to investigate in such detail and with such insight the cloud market is notable and stands out. It would thus make sense for the expertise it has built up, to continue to be developed and used where appropriate, in enforcement action. However, this type of work risks not having the impact it could – or even should – have, due to the fragmented responses to these issues, particularly in the European Union. Past cases suggest that given the global nature of digital markets, companies are often keen to work with regulators, to find solutions which work across borders.⁵²

At the same time, whilst the inherently cross-border nature of the sector seems to militate in favour of more European intervention than might currently be the case, there does seem to be space for at least some significant competence at the French and other national levels. This might be particularly the case in relation to issues such as customer switching, where consumer habits might vary across jurisdictions for cultural and other reasons potentially linked to the bigger legislative and policy picture in each country.

Although during the DMA's creation and planning, the Commission was clear that its enforcement is first and foremost a European matter – with NCAs left with supporting roles – might there now be a need for NCAs to step up in this space? Or maybe more specifically, and in order to restore the institutional equilibrium, could there be a place for some kind of 'referral up' case allocation mechanism from NCAs to the Commission for these kinds of issues, and making use potentially of the information sharing within groups like the well-established European Competition Network? We have recently seen in the merger sphere the Commission asserting jurisdiction over cases which give rise to cross-border issues. Could this also happen in the wider competition context and under the new DMA rules? The flexibility in the European competition and regulatory frameworks, and the information sharing possibilities amongst NCAs and the Commission, seem to allow ample opportunity for issues to be dealt with by the best placed authority, and on a clear legal footing with proper procedural safeguards in place. In this vein, it is likely that the future picture of intervention in the cloud market will be multi-faceted with vital contributions at both EU and NCA level and based on regulatory as well as competition rules. All these different regimes and authorities should be contributing to their full extent, complementing each other so that the best placed authority intervenes with the best suited tool in any given case. This will ensure the work carried out so far into the cloud market is maximised and should mean, that going forward, cloud players operating in Europe can benefit fully from competition on the merits to the advantage of all concerned.