When Sergio Leone shot “The Good, the Bad and the Ugly” in 1966, he refused to hand the audience a clean moral. The “Good” wasn’t really good. The “Bad” looked almost restrained next to the Civil War’s industrial-scale carnage. And the “Ugly” drew your sympathy—even as you questioned why.
Two years into the Competition and Markets Authority’s (CMA) enforcement of the Digital Markets, Competition and Consumers Act (DMCC), a similar ambiguity hangs over the United Kingdom’s flagship digital-competition regime. Plenty deserves praise. Plenty invites criticism. More unsettling, the balance between the two may turn less on the statute itself than on who stands at the regulatory saloon door.
On balance, this story looks more encouraging than the one unfolding across the Channel under the European Union’s Digital Markets Act (DMA). The CMA has largely resisted the European Commission’s instinct to fire every barrel at once. At times, it has declined to fire at all. It has also shown a real—if uneven—sensitivity to the costs of intervening in markets that may already function tolerably well.
But those same features expose the regime’s fragility. The DMCC’s better outcomes reflect well-exercised regulatory discretion. And discretion can evaporate with a change in government.
With that caveat in mind, let’s survey the terrain.
The Good: Restraint, for Once
The most important DMCC decision of the past two years is one the CMA did not make. After a lengthy market investigation, it declined to designate Amazon Web Services (AWS) as having Strategic Market Status (SMS) in cloud services.
That outcome was anything but inevitable. The CMA’s provisional findings had described UK cloud infrastructure as a “two-horse race” dominated by AWS and Microsoft, and floated SMS designation for both firms as a remedy. Designation would have triggered the DMCC’s full ex ante toolkit: bespoke conduct requirements, ongoing oversight, and the prospect of pro-competition interventions reshaping how these firms operate in the United Kingdom.
As International Center for Law & Economics (ICLE) scholars argued in comments on the provisional findings, that approach would have been a mistake. Cloud computing remains in the relatively early innings of replacing on-premises IT, which still accounts for the lion’s share of global IT spending. Within cloud, market shares have shifted. Microsoft and Google have made significant gains in recent years, while AWS’s share has held steady or declined.
Competition has not stood still. New entrants and adjacent competitors—Oracle, IBM, Alibaba, Huawei, OVHcloud, and DigitalOcean—continue to vie for customers. The pace of innovation, including in custom silicon, looks far more like a race to innovate than the kind of ossified gatekeeping SMS designation targets. Designating AWS in such a market would risk freezing a snapshot of competition just as the picture changes. The CMA’s March 2026 announcement suggests it reached much the same conclusion, at least for AWS.
That does not mean everything is perfect. Through engagement with Microsoft and Amazon, the CMA secured material commitments on cloud egress fees and interoperability—the two issues most plausibly raising competitive concerns—without resorting to SMS designation. Reasonable observers can disagree about the necessity of those remedies. From an error-cost perspective, however, it is encouraging that the CMA used the least-intrusive tool available. In other words, the CMA appears to deploy SMS designation more cautiously than its European counterparts.
Along similar lines, the CMA did open a separate SMS investigation into Microsoft’s business-software ecosystem, citing concerns that licensing practices spill over into cloud competition. Whether designation here would make sense remains an open question. The broader point is clearer: the CMA’s approach contrasts sharply with the European Commission’s tendency to designate first and ask questions later.
More generally, the CMA’s “4Ps” framework—pace, predictability, proportionality, and process—introduced in late 2024 and formalized in early 2025, has guided a measure of regulatory self-discipline. Combined with the May 2025 Strategic Steer, which placed economic growth at the center of the CMA’s mandate and directed it to focus on harms with “clear and direct UK impact,” the regime has, at least so far, avoided the worst pathologies of compliance-by-checklist that characterize life under the DMA.
The Bad: When Restraint Gives Way to Overreach
If the cloud decision offers the headline good news, the proposed conduct requirements emerging from the Apple, Google mobile, and Google search SMS designations serve as a reminder: even a measured regulator can talk itself into interventions whose costs may outrun their benefits.
Start with mobile ecosystems. The CMA’s proposed designations cast Apple and Google as a “stable duopoly” with limited competitive constraint. That framing undersells the rivalry between iOS and Android. User churn between the platforms hovers around 20%. Each ecosystem leapfrogs the other on features and security. New users continue to flow into both. These are not the hallmarks of an ossified market.
They point instead to two distinct business models competing head-to-head. Apple offers an integrated, curated system. Android offers a more open, customizable alternative. They compete on quality, price point, and user experience. The remedies the CMA appears to contemplate—mandated interoperability with rival browsers and wallets, choice screens, and restrictions on revenue-sharing with device makers—risk forcing convergence between two deliberately different products.
As ICLE scholars have argued, much of what the CMA labels anticompetitive “self-preferencing” or “lock-in” functions as the connective tissue that delivers security, privacy, and reliability. Consumers value—and pay for—those features. Mandated interoperability carries real, demonstrated costs. The July 2024 CrowdStrike/Microsoft outage, which grounded airlines and disrupted hospitals for hours, was at least partly the product of such mandates. These risks are not hypothetical.
The concerns extend to search. The Publisher Conduct Requirement proposed under Google’s general-search designation would impose granular obligations: opt-out controls for AI training and grounding, plus transparency, reporting, and attribution rules. Those obligations would not apply to OpenAI, Anthropic, Meta, or other generative-AI firms relying on similar public web content. The result is regulatory asymmetry that burdens one firm in a fast-moving market—while tackling issues that sound more in copyright than in competition policy.
The deeper problem lies in the CMA’s analytical drift. At points, it moves from “competition policy protects competition” to “competition policy protects competitors.” Conduct that disadvantages rivals—integrated features, direct answers in search, preinstallation of native apps—often benefits users by lowering search costs and improving relevance.
The empirical record under the DMA should give pause. Banning Google’s vertical-search self-preferencing in the European Union reportedly reduced clicks to hotel websites by 17.6% and direct bookings by as much as 36%, diverting traffic to intermediaries—including Booking.com, itself a designated gatekeeper. Choice screens have produced minimal shifts in search-market share while adding friction for users.
If the CMA imports these mistakes wholesale, it will squander the goodwill its more measured approach in cloud has earned.
The Ugly: It Depends Who’s Holding the Gun
There is a more troubling dimension to this otherwise mixed assessment of the CMA’s performance. The CMA has, on balance, enforced the DMCC more sensibly than the European Commission has enforced the DMA. But the statute does not compel that outcome. The CMA, under the current government’s Strategic Steer and its leadership, has chosen to exercise its discretion in a more measured way.
That choice has a political backstory. In January 2025, then-CMA Chair Marcus Bokkerink stepped down, warning in his farewell remarks that “investors put a price on the risk of political intervention, unpredictability and inconsistency.” His successor, former Amazon UK head Doug Gurr—who recused himself from the cloud designation decision for obvious reasons—arrived alongside an explicit ministerial expectation that regulators would “supercharge the economy.”
The CMA’s “4Ps” framework, the Strategic Steer, the new growth duty, and merger-review reforms all reflect a deliberate political shift toward pro-growth, pro-investment enforcement. Whatever one thinks of that shift, the CMA’s current restraint flows in no small part from who occupies 10 Downing Street.
That should give pause for two reasons. First, it points to internal tension within the CMA. Staff and case teams often propose conduct requirements that look every bit as ambitious as Brussels’ DMA playbook. The board and political leadership have, so far, pulled in a more cautious direction. The mobile and search cases suggest where the agency might land if that balance shifts.
Second, and more fundamentally, the DMCC itself grants sweeping regulatory power. Its architecture—designation, conduct requirements, pro-competition interventions, and fines of up to 10% of global turnover—rivals the DMA in scope. A future government could redirect the regime toward far more interventionist enforcement using the same statutory tools. The statute offers little in the way of a firebreak.
The current consultation on “Refining Our Competition Regime” underscores the risk. Proposals to abolish the independent panel system, expand algorithmic-investigation powers across the broader economy, and create a single-phase market-review tool would extend DMCC-style ex ante features into areas where the case for them remains unproven. Reforms that concentrate decision-making and weaken structural safeguards do not constrain discretion. They amplify it.
Calm in the Street, Tension in the Holster
Reasonable people can disagree about the merits of ex ante digital-competition regulation. But once these regimes exist, how regulators wield them matters enormously. On that score, the CMA deserves real credit. Its first two years enforcing the DMCC have been more proportionate, more targeted, and more open to engagement than the European Commission’s parallel efforts under the DMA.
The decision not to designate Amazon Web Services (AWS), the negotiated commitments on cloud egress fees and interoperability, and the broader discipline imposed by the “4Ps” framework all count as meaningful achievements.
Still, the warning signs are hard to miss. The overbroad mobile designations, the asymmetric publisher conduct requirement, and the pull to replicate the DMA’s missteps on self-preferencing and choice screens all point in the same direction. Expansive enforcement has a gravity of its own.
And the uncomfortable truth is this: what separates the United Kingdom from Brussels right now is not the law on the books, but the discretion of those enforcing it. That is an achievement. It is also a thin reed.
In Leone’s film, the dust settles, the music fades, and no one walks away entirely clean. Two years into DMCC enforcement, the same ambiguity lingers. The sheriff has kept his powder dry—for now. The question is who shows up for the next draw.
