A Dutch ACM signal on Azure and AWS turns cloud choice into a question of proof.
At a small wholesaler outside Utrecht, cloud is not a technical word. It is Tuesday morning: the webshop, stock list, invoices, accountant login, staff planning and customer messages. If one supplier changes a condition or an integration breaks, the owner thinks first about orders, wages and proof, not European law.
The signal has to become readable
ACM has now put that door in a competition-law frame. The European Commission worked with ACM on Microsoft Azure and Amazon Web Services. It has reached a preliminary position that both cloud services should comply with Digital Markets Act obligations for gatekeepers. The investigation found that these services form an important gateway between businesses and users in the digital economy.
Microsoft and Amazon can respond before the European Commission makes a final decision. If final designation follows, they would have six months to comply for those cloud services. ACM can investigate and support, but the Commission decides and enforces the DMA.
The door is legal, the exit is operational
For an owner-manager, the useful reading is less about a Brussels label and more about control. A small firm feels cloud dependence through exports that work or fail, contracts that are clear or vague, and systems that can or cannot speak to each other.
The EU Data Act sits next to this. It applies from 12 September 2025, and Dutch implementation entered into force on 21 November 2025. Its purpose includes fair access to data, use of data, competition and freedom of choice in cloud services. That gives portability a harder business edge.
CBS gives the scale. In 2025, 69 percent of Dutch companies with 10 or more employed persons used paid cloud services. In ICT the share was 89 percent, and in industry 70 percent. The figures cover selected commercial sectors, but the daily pattern is easy to recognise. The cloud is where many companies keep evidence.
Where the cost hides
The monthly cloud invoice can look harmless. Thirty euros here, two hundred there, a larger platform fee somewhere else. The real cost often sits off the invoice: migration work, rebuilt integrations, temporary duplicate subscriptions, staff training, data cleaning, legal review and downtime.
What the signal changes
Take the Utrecht wholesaler again. The owner can see the subscription price for the webshop system. She may not see that the stock tool, payment provider, customer service dashboard and bookkeeping export all depend on the same deeper cloud layer. If she moves, the price is also the bridge between old and new.
CBS has described the Dutch cloud market as dominated by a small number of very large foreign hyperscalers. It cites an ACM 2022 estimate that hyperscalers held about 70 to 85 percent of the Dutch market. CBS also notes that cloud services are layered into infrastructure, platforms and software. The direct supplier is not always the only dependency.
Client questions move down the chain
For firms selling into banks, insurers or payment chains, cloud control already reaches the commercial table. DNB explains that DORA applies from 17 January 2025 in the financial sector and covers ICT risk, incidents, resilience testing and critical third-party ICT risk.
AFM and DNB warned in October 2025 about growing risk from dependence on a small number of non-European IT suppliers. Common suppliers and infrastructures can create concentration and systemic risk. A small supplier may feel that warning through client questions about cloud registers, subcontractors, continuity plans and incident evidence.
The question moves down the chain until it reaches the company that holds the actual records. That is where procurement turns into pressure. A customer does not only want a price. It wants a working answer when the platform fails, the invoice trail is missing, or the export file will not open.
Records are evidence
Compliance becomes practical when the finance office gets involved. Bookkeeping files, VAT support, payroll exports, customer consent records, contract history and project proof are not simply stored in the cloud. They may be needed years later, in readable form, with a clear trail of who did what and when.
The public sector is already translating cloud control into contract language. In 2026 the Dutch central government signed a framework agreement with European cloud provider STACKIT. Conditions include data storage in the European Economic Area, audit rights and termination conditions if ownership moves outside the EEA. For private firms, it offers useful contract language rather than a direct rule.
What founders should check
The Belastingdienst has also made digital autonomy a priority. For its new VAT system, the tax authority will take over hosting infrastructure management, keep servers in its own data centres, control the software-update channel and secure access to source code. The lesson for business is simpler: control has become concrete.
The calm discipline
A company that wants to reduce blind dependence can start small. A one-page cloud map is often enough: provider, service, business process, data type, users, linked systems, internal owner and exit route. The point is not paperwork. The point is to know which three systems would stop invoices, payroll, fulfilment or legal proof.
ACM also invites businesses to report signals about problems that may fall under the DMA, including barriers to platform access, data exchange or linking services to a large digital platform. That only works when a firm can describe the problem clearly. Screenshots, contract clauses, failed exports and integration logs speak better than frustration.
Back at the wholesaler, the first question is simple. Can she leave a critical service without losing company memory? Can she export usable data? Does the contract explain return and deletion? Who knows the integrations? What would two months of parallel systems cost?
This is compliance without theatre. It is not fear of technology. Cloud convenience has helped small firms move faster, sell wider and avoid heavy servers in the back room. That value is real.
But convenience deserves a ledger next to it. Not only a ledger of money, but of access, proof, dependence and choice. When the supplier holds the door, the owner-manager needs to know where the exit is, who has the key and whether the company can still serve customers on Wednesday morning.
Sources
- Voorlopig standpunt Europese Commissie in onderzoek met ACM: clouddiensten Microsoft en Amazon vallen onder DMA | ACM
- Wettenbank – Dutch DMA implementation and ACM role
- Overheid.nl / Ondernemersplein – DMA meaning for entrepreneurs
- Overheid.nl – Data Act implementation and cloud switching
- CBS – Actual cloud use by Dutch businesses
- CBS – Cloud market concentration and measurement limits
- Rijksoverheid / Open Overheid – Dutch government view on the joint investigation and CADA
- Rijksoverheid – Dutch government digital autonomy and cloud procurement
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
