Despite the cloud’s ability to foster innovation and industry change, financial institutions are hampered by various barriers to adoption.
These barriers European Financial Market Association (AFME) and Protiviti.
Report ‘The State of Cloud Adoption in Europe Paving the Way for Cloud as a Critical Third-Party Solutionoutlines four key barriers that are hindering the pace of cloud adoption within the financial services sector.
The cloud enables innovation in financial services, but businesses continue to battle barriers to unlocking the full potential of technology.
Here we analyze the barriers identified in the report and discuss the corresponding solutions it puts forward
Concentration of cloud services
65% of the world’s cloud services are provided by just three entities. Such monopoly dominance has raised concerns among financial regulators. This report articulates the risks of such concentration in the cloud market.
The report urges policymakers to consider how cloud service providers (CSPs) can provide transparency on resilience, dependencies, and security issues.
This facilitates scrutiny of regional dependencies on CSPs and analysis of the underlying control planes within each CSP.
The report recommends that adopting a multi-cloud strategy should be left to the discretion of individual institutions.
Rather than addressing the systemic concentration risks mentioned earlier, it becomes clear how forced recruitment may increase.
regulatory complexity
The report points out that regulatory complexity is a major barrier to cloud adoption. Thus, the fragmented regulatory environment, slow approval times, and general uncertainty all contribute. The presence of these factors is slowing the pace of innovation and cloud adoption.
Institutions are subject to several different regulatory authorities. This setup means that the same information can be requested in different formats and through different channels.
In this light, the report calls for the authorities to consider approval models for deploying services in the cloud at the platform level. Similarly, we also request the removal of the notification time requirement to reduce delays in the approval process.
that is, European Central Bank (ECB), European Supervisory Authority (ESA) and National Competent Authority (NCA).
This adjustment is to ensure consistent application of outsourcing and information and communication technology (ICT) third party registrations. This helps minimize overlap between agencies and supervisors.
Data localization
from now on EUCS Certification Framework Proposals to achieve “immunity from third country law” via EU administrative requirements, if adopted, could have far-reaching negative repercussions.
The report urges policymakers and regulators to refrain from demanding data localization or cloud hosting solutions. Localization challenges resilience, stifles innovation, and increases operational complexity.
Interruption management in the cloud
Several high-profile cloud service outages have highlighted the need for CSPs to anticipate, manage, and communicate disruption.
Regulators expect financial institutions to assume primary responsibility for resisting threats to operational resilience, preventing service disruptions, and recovering from incidents.
As a solution to this, the report encourages collaboration between CSPs and institutions. This effort will help institutions better understand the provider’s tools, resources, and configuration settings to ensure the security of workloads and data running within the CSP’s infrastructure.
In addition, CSPs should help agencies understand service level objectives (SLOs) and resilience and recovery metrics for each service offered.
The report requires CSPs to assist agencies by providing dependency mappings between services and geographies.
For example, two different services sharing a single point of failure, or the impact of an outage in one region on the underlying CSP control plane.
This encourages CSPs to provide transparency and detail for root cause analysis (RCA) of incidents and outages. The report also calls for the creation of a library of previous RCAs. Such resources enable us to track incident trends, understand them, and manage them better in the future.
CSPs must provide adequate education and notification to their institutions about service updates that may impact their responsibilities and obligations in areas such as security and resilience.
Regulation not harmonized
Fiona WillisAssociate Director of Technology and Operations at AFME, explains how the cloud enables institutions to provide “agile, scalable and resilient services” to their clients.
Nevertheless, Willis admits that cloud adoption is being held back by “overly complex and discordant regulations.” As the report reveals.

AFME members believe it is imperative that policymakers do not inadvertently influence the continued adoption of cloud services, she continues. Regulators and policymakers can work together to unlock the full potential of the cloud in the financial services sector.
In addition to this james foxProtiviti’s director of enterprise cloud, said the technology presents a huge opportunity to “improve productivity, flexibility and resilience.”
Despite the fact that regulation reduces risk, Fox said there is a “careful balance to be struck between properly regulating cloud technology and not stifling innovation and competition within financial services.” Emphasizes the need for action.