Nicole Reader, Head of Technology Solutions & Delivery, Cyberfort Group
Financial institutions have spent the best part of a decade accelerating towards cloud adoption, drawn by the promise of scalability, agility and cost efficiency. Hyperscale providers have played a central role in enabling innovation across trading platforms, customer services and data analytics. Yet as the sector matures in its use of cloud, a more nuanced conversation is emerging.
The question is no longer whether cloud is beneficial, but whether a cloud first strategy is still appropriate for an industry defined by risk, regulation and trust.
Many financial institutions have consolidated critical workloads with a small number of global hyperscale providers. While this has simplified operations and accelerated transformation, it has also created a dependency that is increasingly difficult to ignore. Outages, service disruptions and even subtle performance issues can have major impacts across markets that demand constant availability. When multiple institutions rely on the same infrastructure providers, systemic risk becomes a very real concern rather than a theoretical one.
Alongside resilience, data sovereignty has moved sharply up the agenda. Financial data is among the most sensitive and highly regulated assets any organisation holds. Where that data resides, how it is accessed and under which jurisdiction it falls are no longer abstract considerations. Regulatory bodies across the UK and Europe are intensifying scrutiny on how firms manage third party risk and ensure operational resilience. Frameworks such as the Digital Operational Resilience Act (DORA) are raising the bar for accountability, requiring firms to demonstrate not only that they understand their dependencies, but that they can withstand disruption within them.
Balancing Innovation with Sovereignty
This is further complicated by a shifting geopolitical landscape. Data that sits in one region may be subject to legal frameworks and access provisions that conflict with domestic expectations of privacy and control. For financial institutions operating across borders, this introduces a layer of complexity that cannot be solved by technical architecture alone. It demands strategic decisions about where data should live and who ultimately governs it.
In this context, the limitations of a blanket cloud first approach are becoming more apparent. Hyperscale cloud remains a powerful enabler, but it does not always align neatly with the requirements of regulated industries. The abstraction that makes cloud so attractive can also obscure visibility and control. For security teams, this can create challenges in enforcing consistent policies, managing access and responding quickly to threats across distributed environments.
What is emerging instead is a more balanced and deliberate approach to cloud strategy. Financial institutions are beginning to adopt hybrid models that combine the flexibility of public cloud with the assurance of sovereign, secure infrastructure. This is not a step backwards from digital transformation, but an evolution of it. By retaining certain workloads and data sets within environments that offer greater control and clear jurisdictional boundaries, firms can reduce exposure while still benefiting from the innovation that cloud enables.
Taking Back Control of Critical Systems
Repatriation is also becoming part of the conversation. In some cases, organisations are moving specific applications or data back from public cloud into private or sovereign environments where risk can be more tightly managed. This is not about abandoning cloud, but about aligning each workload with the environment that best meets its operational, regulatory and security requirements. It reflects a growing recognition that not all data is equal, and that critical financial systems demand a higher degree of oversight.
From a cyber security perspective, this shift is both necessary and overdue. Threat actors are increasingly sophisticated, targeting the complex supply chains and interconnected systems that underpin modern financial services. A diversified infrastructure strategy can act as a form of risk mitigation, reducing the likelihood that a single point of failure can be exploited at scale. It also enables more granular control over security measures, from identity and access management to monitoring and incident response.
However, adopting a hybrid or repatriation strategy is not without its challenges. It requires a clear understanding of existing dependencies, robust governance frameworks and the ability to integrate security consistently across multiple environments. Without this, complexity can quickly become a risk in itself. The organisations that will succeed are those that treat cloud strategy as a continuous process of assessment and optimisation, rather than a one-time decision.
Building Resilient, Sovereign Ready Cloud Futures
For financial institutions, the direction of travel is clear. The future is not defined by choosing between cloud and on premises infrastructure, but by intelligently combining the strengths of both. Sovereign capabilities, whether delivered through private cloud, regional providers or dedicated infrastructure, will play an increasingly important role in supporting compliance and resilience. At the same time, hyperscale cloud will continue to drive innovation where its benefits are most relevant.
The challenge, and the opportunity, lies in striking the right balance. By moving beyond a simplistic cloud first mindset and towards a more strategic, risk aware approach, financial institutions can regain control over their data, strengthen their security posture and build digital environments that are fit for an increasingly uncertain world.