24-06-2025
Mounting geopolitical tensions underscore the need for public cloud diversification
0
This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.
Today's industrial revolution, also known as Industry 4.0, is characterised by smart systems, artificial intelligence (AI), internet of things (IoT), advanced robotics, and automation. If these innovations are the locomotives of Industry 4.0, then their fuel is data. Be it customer behaviour, engagement, attitudes, or personal information, data – and access to it – is what enables today's financial institutions (FIs) to conduct their daily operations, comply with regulation, and bring new products to market.
Increasingly, as a break from the traditional paper-mountain model, banks are turning to public cloud service providers for support with data management. Resources like servers, storage, and applications are extended by third parties over the internet – enabling banks to benefit from scalability, cost-effectiveness, convenience, and on-demand IT services, without having to erect hardware.
This is a booming industry. By 2030, the global public cloud market could reach $1.6 trillion, with a projected compound annual growth rate (CAGR) of around 20% in some regions. This level of growth is reflected in adoption rate. According to a study by Capgemini, 91% of banks and insurance companies have initiated their cloud journeys – a significant increase from 2020, when it was only 37%. Soon, almost every large bank on the planet will be dependent on cloud services – with some expecting to move over half or more of their IT footprint in the next few years.
But the cost of public cloud services is not just financial. To access all the benefits that cloud brings to back-end operations and customer experiences, FIs must make a noteworthy sacrifice: exposure to geopolitical risk.
The big three: A market monopoly?
US-based public cloud service providers – particularly the 'big three', Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) – capture a substantial portion of the global cloud market; with some estimates reaching almost 85%.
This dominance has caused commentators to ask whether the cloud computing market is anti-competitive, and regulators have responded. In March 2023 the United States' Federal Trade Commission (FTC) requested information from the public on cloud computing companies' business practices – including details on their market power, competition, and the potential security issues. By all accounts, the formal process is still in the works. The UK's Office of Communications (Ofcom) responded too, recommending an investigation by the Competition and Markets Authority (CMA) due to its concerns of monopoly. An independent inquiry group published provisional findings in January 2025, recommending that the CMA board officially investigates AWS and Microsoft.
On 17 June 2025, in attempt to ease growing concerns over data sovereignty, Microsoft previewed a range of new cloud computing services tailored for European governments and organisations. In a press release Microsoft noted that 'all remote access by Microsoft engineers to the systems that store and process data in Europe is approved and monitored by European resident personnel, in real-time.'
Google, for its part, has also carved out a 'safe space' in Europe for nations nervous about US reach – offering an 'air-gapped solution' with strict data residency requirements. And, to meet a similar demand from its customers, AWS recently announced a European Sovereign Cloud (ESC) rollout, with a locally-controlled parent company and three subsidiaries incorporated in Germany. The initiative is due to go live by end-2025.
Whether these developments will be enough to placate institutions' concerns about European data remaining within the bloc and under local control, remains to be seen.
A warning shot: The felling of ATB
On the issue of competition, free-market purists might argue that, at least in theory, the dominance of a few cloud service providers is inconsequential, and issues will eventually be smoothed over by the attrition of supply and demand. However, one only has to look at cases such as Amsterdam Trade Bank (ATB)'s, which in 2022 had its access to cloud services blocked by Microsoft as a result of US sanctions, to appreciate why concerns in Europe are mounting.
Though it was alleged that ATB had ties to Russia (and sanctions may therefore have been warranted), its example at the very least reveals that many Europe-based institutions are exposed to some level of geopolitical risk – and therefore must look to diversify their stock of public cloud providers. Without access to emails and customers' data, ATB's operations ground to a halt and it was compelled to file for bankruptcy.
The felling of ATB took place on Joe Biden's watch. As a result of Russia's invasion of Ukraine on 24 February 2022, Biden's administration sought to ratchet up sanctions on Russia via an extensive banking crackdown. According to the BBC, by December 2023, Biden had signed an executive order that imposed sanctions on banks dealing with about 1,200 individuals and companies deemed to be supporting Russia's war machine. These measures continued to expand into 2024, exposing 4,500 financial entities to the risk of being cut off from the US financial system.
With the Trump administration now holding these very same levers of power – and able to issue sanctions by simply declaring a national emergency under the International Emergency Economic Powers Act (IEEPA) – we might ask the question: Could the US administration's sympathy for Russia's designs in Ukraine, and trade-war fuelled antipathy with EMEA, ever cause the crosshairs to land on Europe?
Though the likelihood of a full-scale financial war between the US and Europe is vanishingly small, the geopolitical risks are not non-existent, and institutions are responding accordingly. In March 2025, European cloud providers, including Aruba, IONOS and Dynamo, introduced the Sovereign European Cloud API (SECA) amid rising sovereignty concerns. The SECA is Europe's push for new open application programming interface (API) standards in cloud infrastructure management.
Diversifying risk with European providers
The first and most obvious means to guarantee long-term operational stability is for Europe's banks to diversify their public cloud providers – ensuring they have a balanced, regional spread. This safeguards against not just political risk, but physical risk to data centres. According to CrowdStrike's 2025 Global Threat report, state-backed operations surged last year, with some industries seeing a 300% spike in targeted attacks. Moreover, in its April 2025 Geopolitical Risk dashboard, Blackrock hones in on threats to cloud infrastructure and the potential for cyber risks to increase in conflict zones and election cycles – finding the likelihood of major cyber attacks 'high'.
Regrettably, the stock of Europe-based public cloud service providers is limited, essentially leaving EMEA banks with a choice between established cloud services but high levels of exposure to US tech; or a fledgling European cloud service and low exposure to US tech. Given the modern consumer's demand for instant and digital services, the legacy method of data management is not an option for institutions that wish to remain competitive.
Some of Europe's biggest public cloud service providers include OVHcloud, Scaleway, Hetzner, UpCloud, Exoscale, and gridscale – and each have different strengths and governance models. Regions leading the development of these services include the European economic powerhouses, France and Germany, as well the Nordics.
Whether Europe's cloud providers will develop the scale needed to fully compete with their US counterparts is unclear. While many argue this is unlikely given the EU's shifting focus – from investment in technological infrastructure to investment in the military-industrial complex – the UK government's Strategic Defense Review 2025 signalled that it would measure success in the number and scale of dual-use technology firms. This could mean pairing cloud with quantum innovations – to which No. 10 has just pledged £500 million. In such a scenario, homegrown public cloud services would prove invaluable and fall into the dual-use bucket.
There is of course also the European Cloud User Coalition (ECUC), which was established in January 2021 to develop common security standards and best practices for the use of cloud technology in the EU. The initial coalition included Allied Irish Banks, BAWAG Group., Belfius Bank, Commerzbank, Deutsche Börse, EFG Bank, Erste Group Bank, Euroclear, ING, KBC Bank, Swedbank and UniCredit. At the time of the ECUC's launch, Kerem Tomak, chief analytics officer and initiative lead at ING, said that the coalition 'enables [banks] to adopt a hybrid cloud setup for analytics and AI, that brings us up to par with the fintechs and bigtechs of this world. It allows us to improve our digital capabilities and offer customers better, faster and more personalised experiences."
Later in 2021 the ECUC published a positioning paper which advocated for the safe and compliant use of public cloud technology. The paper serves as a roadmap for the industry – outlining best practices and recommendations for cloud adoption. Unfortunately, it is not legally compelling, and many banks remain overexposed to US tech.
A special (and strained) relationship
The gradual migration of EMEA banks away from US public cloud providers is part of a broader schism between the economies of the US and the EU.
Triggered by President Trump's Independence Day on 2 April 2025, North America unmoored itself from the international rules-based order – of free trade, globalisation, and mutual dependence – which it helped establish in the wake of the Second World War to boost security and prosperity. The deluge of tariffs created shockwaves in the bond markets, and, though the US dollar remains the world's currency reserve, led to murmurs of de-dollarisation.
Waning faith in the US economy began to manifest in other areas, including industry and investment. Indeed, institutions are now wary of tying themselves too closely to the administration – be it the Ministry of Defence and US military contracts, or banks and public cloud services.
The opportunity for Europe's cloud market
No matter to what degree these geopolitical concerns are founded, FIs are by nature risk-averse entities – and especially wary today, as the global economy teeters on the edge of recession.
With conflicts around the globe increasing in number and intensity, EMEA's banks will need to continue diversifing their geopolitical risk when it comes to the cloud. This spells good news for the European public cloud market and will render it a highly strategic and dynamic space in the coming years.
