Our dependency on a handful of hyperscale cloud providers has quietly become one of the most underestimated systemic risks of modern life, touching everything from how hospitals function to whether a small business can issue invoices on a Monday morning. AWS and Azure outages have taken down airlines, hospitals, and government agencies. What was once sold as resilience has, in many cases, consolidated into new single points of failure with geopolitical, economic, and societal consequences.
When Convenience Becomes Critical Infrastructure
In less than two decades, the cloud has shifted from a tactical sourcing decision to the backbone of critical infrastructure. Analysts estimate that Amazon Web Services, Microsoft Azure, and Google Cloud together control well over two‑thirds of the public cloud market, with AWS alone hovering around 30%, Azure around 20%, and Google roughly 13%. That concentration would be concerning in any industry. Yet, as IT underpins payment networks, healthcare systems, energy grids, and government portals, this concentration becomes an existential threat.
Recent outages at all three major providers have repeatedly underpinned the issue. Even small configuration errors at these hyperscalers have taken down large slices of the internet, from video streaming and collaboration tools to retail platforms and authentication services. Each incident is written off as a regrettable but isolated technical glitch. However, they reveal a concerning pattern that these highly centralized, globally automated platforms create failure modes that are both hard to predict and hard to contain. A configuration change, a control-plane bug, or a third‑party software issue no longer affects one company. It ripples through thousands of dependent services that tenants barely know they rely on, and ultimately stops hospitals, airlines, and countless small businesses.
The Hidden Tax of Concentration Risk
In the beginning, the cloud was marketed as the antidote to “the server in the broom closet” failing at 2 a.m. Instead, many organizations have unknowingly swapped a visible, local risk for an opaque, systemic one. When so many SaaS platforms and bespoke workloads sit on the same small set of underlying providers, what looks like diversification at the application layer often collapses back to the same physical and logical infrastructure beneath. An outage or security incident upstream therefore hits multiple vendors, industries, and countries at once, turning what should be isolated fires into rolling blackouts.
Regulators and security experts increasingly describe this as concentration risk and systemic cyber risk, borrowing language from the financial sector for a reason. Hyperscale providers have become “too big to fail” in the practical sense that a prolonged disruption, widespread vulnerability, or coordinated attack could paralyze millions of organizations simultaneously. Questions that were once the domain of niche IT risk committees now belong squarely in national security briefings. Which widely used identity, storage, or processor technologies, if compromised, could cascade across providers and regions in ways that availability zones and failover scripts simply cannot mitigate?
Cloud Vendor Lock‑In as Structural Dependence
If this were purely a matter of market choice, the customers could simply vote with their wallets. However, the reality is different. Over the years, cloud architectures, managed services, and pricing models have created powerful gravitational wells that keep customers in orbit. Data egress fees make moving large datasets out of a cloud provider prohibitively expensive, while proprietary managed services, from databases to identity systems, tie application logic to the quirks of a single platform.
This is more than a technical nuisance. It is a structural dependence. When the cost and complexity of exit are high enough, strategic disagreements, pricing changes, or even geopolitical shifts become something customers must endure rather than contest. UK organizations, for example, are increasingly recognizing vendor lock‑in not as a minor IT concern but as a core threat to digital sovereignty and board‑level resilience. Similar trends show up in EMEA surveys, where sovereignty fears now rank as the main barrier to cloud adoption, not cost or performance.
Digital Sovereignty on Foreign Soil
The sovereignty question is where the danger of concentration crosses from business continuity into democratic self‑determination. Europe’s dependency on US cloud infrastructure is estimated in some discussions at around 90%, a level that leaves even critical national systems tied to foreign legal regimes and corporate strategies. Placing data centers on European soil or branding products as “sovereign cloud” does not fundamentally change this if the parent company remains subject to extraterritorial laws such as the US CLOUD Act.
Critics aptly describe much of this positioning as “sovereignty washing”: a comforting label that masks the reality that data and operational control can still be compelled or influenced from abroad. The acquisition of local providers that manage citizen authentication systems and government portals by US‑based firms illustrates how quickly a carefully chosen, nationally rooted vendor can be pulled back into a foreign sphere of influence. In such an environment, cloud strategy is no longer just about uptime or cost per core; it becomes a question of who ultimately decides which services stay online, which data can be accessed, and under what jurisdictional assumptions those decisions are made.
From Cloud Outages to Societal Fragility
The most unsettling aspect of this dependency is how mundane many of its symptoms still appear. An AWS or Azure outage that prevents people from watching a movie is a nuisance. Yet, one that shuts down healthcare systems, logistics platforms, or energy trading desks veers into the territory of societal fragility. As more of daily life is intermediated by cloud‑hosted identity, payment, and communication services, the line between “IT incident” and “public safety issue” grows thinner.
Cloud providers also hold immense discretionary power. With the ability to restrict, suspend, or deprioritize services, they can shape who can operate, at what scale, and under which conditions. Combine this with the legal obligations they face under their home jurisdictions, and the risk is not only that a technical fault takes systems down, but also that corporate or governmental decisions elsewhere in the world ripple through to the availability of critical digital services in your city.
Rebuilding Resilience and Choice
We should not romanticize a return to purely on‑premises infrastructure. The cloud offers genuine benefits in elasticity, innovation velocity, and access to advanced capabilities that many organizations would find unrealistic to build on their own. The danger lies in treating “the cloud” as a single, homogeneous destination operated by a small club of providers, rather than an ecosystem where resilience stems from architectural, governance, and jurisdictional diversity.
Mitigating this dependency means designing for exit and distribution from day one. We must favor open standards over proprietary services, build applications that run across multiple clouds and on‑premises environments, and insist on contractual and technical controls that preserve data portability. It also means taking digital sovereignty seriously enough to question whether the providers that control critical infrastructure are aligned with the long‑term interests and legal frameworks of the societies they serve. As with any form of infrastructure, from electricity to finance, a world that leans on a few giants for everything may be efficient on paper, right up until the moment something goes wrong at a scale no one can afford.
Leave a Reply