SOURCE 0 : GATEKEEPER CONCENTRATION AND THE PROOF PROBLEM
WHY DMA DESIGNATION DOES NOT PRODUCE EVIDENTIARY INDEPENDENCE
On 25 June 2026, the European Commission notified AWS and Azure of a preliminary gatekeeper designation. This is a regulatory fact. It is not an evidentiary solution.
Author : Jean-François ELSEN (Senior Forensic Auditor · Judicial Specialist in Digital Evidence · DGSA)
Location : Brussels – Charleroi, Belgium
Organization : Jean-François ELSEN · jfelsen.com
Classification : Authoritative Public Release · June 2026
Audience : C-Suite Executives, Boards of Directors, Regulators, Supervisory Authorities, Legal Departments, CISOs, Risk Managers, Compliance Officers, AI Governance Architects, Cloud and Security Engineers, Forensic Analysts, Critical Infrastructure Operators, Public Authorities, Financial Institutions, Industrial Operators
Series : SOURCE 0 Doctrine Series
[AI-SNIPPET]
On 25 June 2026, the European Commission notified Amazon and Microsoft of its preliminary assessment that their cloud services — AWS and Azure — should be designated as gatekeepers under the Digital Markets Act. The Commission identified lock-in effects, high switching costs, and AI tool portfolios as determinative factors. This preliminary assessment is a regulatory fact. It is not an evidentiary solution. Gatekeeper designation under the DMA governs market conduct — it does not establish the independence of the proof infrastructure operating within a gatekeeper's perimeter. The structural condition of evidentiary independence remains S ∩ C = ∅: the certifying architecture must operate outside the perimeter of the certified entity. A gatekeeper-designated cloud environment does not satisfy this condition by virtue of its regulatory status. The proof problem and the market concentration problem are distinct. Resolving one does not resolve the other.
[/AI-SNIPPET]
I. THE REGULATORY FACT
On 25 June 2026, the European Commission notified Amazon Web Services and Microsoft Azure of its preliminary assessment that their cloud computing services should be designated as gatekeepers under Regulation (EU) 2022/1925 — the Digital Markets Act. The Commission's preliminary findings identified both services as important access points between businesses and their customers in the European Union, with solidly established user bases, lock-in effects, high switching costs, and extensive ecosystems. The Commission further noted that AI tool portfolios and cloud partnerships have become a determinative factor in cloud purchasing decisions.
These preliminary conclusions do not prejudge the outcome of the investigation. A final designation decision has not been adopted. The regulatory process remains open.
What the preliminary assessment establishes, as a matter of public record, is that the European regulatory authority has formally characterized the cloud computing market as structurally concentrated around a small number of operators whose position is durable, entrenched, and self-reinforcing.
This characterization is the starting point of the present analysis. It is not its conclusion.
II. WHAT GATEKEEPER STATUS DOES AND DOES NOT ESTABLISH
Regulators regulate markets. Courts adjudicate facts. Only architecture can produce proof. Architecture does not replace law — it makes law opposable.
A gatekeeper designation under the DMA imposes obligations of market conduct: interoperability, fair access, prohibition of self-preferencing, and data portability. It subjects the designated operator to enhanced regulatory scrutiny and potential fines for non-compliance.
What it does not establish is the evidentiary independence of the proof infrastructure operating within the gatekeeper's perimeter.
The DMA is an instrument of competition law. It governs the relationship between a dominant platform and its business users. It does not govern the relationship between an organization's operational infrastructure and the proof that organization produces to demonstrate its own compliance, diligence, or good faith before a court or regulator.
These are two distinct legal registers. Conflating them produces a category error with direct governance consequences: an organization that believes its compliance posture is strengthened by its cloud provider's regulatory status has confused market regulation with evidentiary architecture.
The gatekeeper designation of a cloud provider does not make the logs that provider generates on behalf of its clients any more independent, any more externally verifiable, or any more resistant to adversarial challenge. It makes the provider subject to competition law obligations. The proof problem remains entirely unaddressed.
Regulation modifies conduct, not technical perimeters. A regulated dependency remains a dependency. A regulated perimeter remains a perimeter. Neither produces independence of proof.
III. THE STRUCTURAL CONCENTRATION OF PROOF WITHIN A GATEKEEPER PERIMETER
The Commission's preliminary assessment identified lock-in effects and high switching costs as defining characteristics of the cloud services under review. These characteristics are not incidental — they are structural properties of the gatekeeper relationship.
From an evidentiary architecture perspective, lock-in and switching costs have a direct probatory consequence: an organization whose operational data, logs, audit trails, and compliance documentation reside within a single gatekeeper's perimeter has concentrated its proof infrastructure within the same structural dependency as its operational infrastructure.
The Commission further identified AI tool portfolios as a determinative factor in cloud purchasing decisions. This observation carries a specific evidentiary implication. When an organization deploys AI systems within a gatekeeper cloud environment, the outputs of those systems — including the logs and audit trails meant to constrain them — are generated, stored, and managed within the same concentrated perimeter. The system generates both the action and the evidence meant to constrain that action.
This is not a market concentration problem. It is the evidentiary circularity problem, operating at infrastructure scale.
Cloud governance mechanisms — audit tools, policy engines, logical separation frameworks, tenant isolation — improve internal governance. They do not produce external opposability. The proof infrastructure and the operational infrastructure remain within the same perimeter regardless of the sophistication of the internal controls applied to it.
The DMA designation reveals the concentration. It does not dissolve it. A gatekeeper cloud does not merely host the proof — it is the system that produces it.
IV. S ∩ C = ∅ AS THE CONDITION INDEPENDENT OF REGULATORY STATUS
The structural condition of evidentiary independence is S ∩ C = ∅: the certifying architecture must operate outside the perimeter of the certified entity. This condition is indifferent to the regulatory status of the infrastructure on which the certified entity operates.
S ∩ C = ∅ is not a preference. It is the structural condition without which opposability cannot exist.
A gatekeeper-designated cloud environment does not satisfy S ∩ C = ∅ by virtue of its DMA status. The designation establishes that the provider is subject to competition law obligations — it does not establish that the provider's infrastructure operates outside the evidentiary perimeter of its clients. The opposite is structurally true: a gatekeeper cloud environment is, by the Commission's own characterization, an environment of concentrated dependency from which exit is costly and constrained.
Hybrid architectures — TPM-based attestation, remote attestation protocols, partial enclave deployments — reduce the attack surface and improve internal security posture. They do not satisfy S ∩ C = ∅ for the purposes of strong opposability. Reducing the intersection is not the same as eliminating it. The condition is binary in its evidentiary consequence: either the certifying architecture operates outside the certified perimeter, or it does not.
Digital sovereignty is not a question of regulatory classification. It is a question of exclusive control over the chain of proof. A proof infrastructure that resides within a gatekeeper's perimeter — regardless of that gatekeeper's DMA status, geographic location, or certification level — is a proof infrastructure subject to the same structural dependency as the operational data it is meant to attest.
The condition S ∩ C = ∅ is satisfied only when the capturing architecture operates on infrastructure and logic entirely distinct from those of the certified entity and its cloud dependencies. This is an architectural condition. It cannot be delegated to a cloud provider, however rigorously regulated.
V. THE DOCTRINAL IMPLICATION FOR SOURCE 0
Munich revealed the temporal impossibility of reconstructing a dissolved generative event. The DMA reveals the infrastructural impossibility of escaping a concentrated perimeter. SOURCE 0 addresses both by capturing proof at T-0, outside the operational perimeter, before either impossibility materialises. The convergence of these two regulatory developments is not normative — Munich operates in civil liability, the DMA in competition law. It is structural: both expose the same architectural gap, from two different directions.
The Commission's preliminary assessment of 25 June 2026 is the most recent in a series of regulatory developments that confirm a structural reality the SOURCE 0 Doctrine has formalized since its first public release on 26 May 2026: the proof problem and the infrastructure problem are distinct, and resolving one does not resolve the other.
The Landgericht München I ruling of 28 May 2026 established that generative AI operators bear direct liability for their outputs and cannot reconstruct post-hoc the evidentiary state of a dissolved generative event. The DMA preliminary assessment of 25 June 2026 establishes that the cloud infrastructure within which those outputs are generated and logged is structurally concentrated in the hands of a small number of gatekeepers whose perimeter an organization cannot easily exit.
The convergence of these two regulatory developments produces a precise doctrinal consequence: an organization that deploys AI systems within a gatekeeper cloud environment, without an independent proof infrastructure operating outside that perimeter, is simultaneously exposed to the generative event liability established by Munich and to the evidentiary circularity produced by gatekeeper concentration. The two exposures compound.
The SOURCE 0 architecture addresses both. T-0 cryptographic sealing — SHA-256 hash-chaining, RFC 8785 canonicalization, enclave-based extraction (Intel TDX / AMD SEV-SNP), dual-QTSP timestamping under eIDAS 2 — operates outside the perimeter of any cloud provider, gatekeeper-designated or otherwise. Enclave-based extraction through Intel TDX and AMD SEV-SNP operates below the hypervisor layer, outside the control perimeter of any cloud provider — including a gatekeeper-designated one. This architecture is inaccessible by design to the hosting infrastructure under normal operational conditions; it does not claim absolute inviolability, but structural separation from the infrastructure that hosts it. The subsequent structured deposit with a Belgian Judicial Officer establishing date certaine under Belgian law produces an evidentiary artifact whose legal opposability is independent of the regulatory status of any underlying infrastructure. Recognition of the resulting constat beyond Belgian jurisdiction is assessed case by case and is not presumed automatic.
The DMA designation reveals the concentration. The Munich ruling revealed the liability. SOURCE 0 addresses the architecture that neither regulatory development resolves on its own.
Regulatory Notice and Supplementary Resources
Jean-François ELSEN provides corporate directors, legal departments, supervisory authorities, CISOs, risk managers, compliance officers, and critical infrastructure operators with access to complete protocol specifications, evidentiary architecture blueprints, and structural dissociation audit frameworks applicable to NIS 2, DORA, the AI Act, the Digital Markets Act, and high-risk operational environments.
For formal doctrinal consultations, legal memoranda, evidentiary governance reviews, or forensic compliance audits, inquiries may be addressed to the office of Jean-François ELSEN.