The Cloud Is Now Critical Infrastructure
More than half of UK businesses run their most vital operations on cloud infrastructure—and they’re not just resting comfortably while doing it. A new report from the Cyber Monitoring Centre makes for stark reading: over 60 percent of UK companies rely on cloud services for mission-critical functions, and that number balloons to more than 80 percent among FTSE 100 firms. The real scare? A 24-hour outage in AWS’s eu-west-1 region (Dublin) or us-east-1 (Northern Virginia) could cost the UK economy roughly £1 billion and £650 million respectively, before even counting downstream ripple effects on suppliers and customers.
This isn’t hypothetical. Last October, a bug in AWS’s DynamoDB DNS system brought parts of Lloyds Banking Group and the UK government to a standstill. The key takeaway? Multi-region redundancy doesn’t help when your workload depends on core services that live almost exclusively in one region—us-east-1, in this case. “It’s not about rejecting the cloud; it’s about recognising that cloud is critical infrastructure now,” says Will Mayes, CEO of the Cyber Monitoring Centre.
Digital sovereignty has long been framed as a public-sector concern—data residency, legal jurisdiction, national security. But this report drags the issue into the boardroom, with real numbers attached: revenue loss, insurance exposure, reputational hit. And it forces a stark question: how much of your business continuity plan rests on the uptime of three hyperscalers, concentrated in a handful of geographies? Read on.
Where the Cloud Gets Dangerous
The report zeroes in on three core failure points: AWS’s eu-west-1 and us-east-1, Microsoft Azure’s UK South and Germany West Central, and Google Cloud’s e-west-2. But here’s the thing—it’s not just which regions you use, it’s which services you lean on. The October AWS outage illustrates why: the problem started in DynamoDB’s DNS layer, which rippled out to affect seemingly unrelated services that those regions hosted.
Even firms pursuing multi-cloud strategies aren’t off the hook. The report notes that many companies distribute their infrastructure across providers but keep their heaviest workloads concentrated in just one or two regions. That’s operational convenience, not resilience. “You might think you’re hedged,” says a Parametrix analyst cited in the report, “but if your ERP, payroll, and customer portal all talk back to us-east-1 behind the scenes? You’re not hedged—you’re exposed.”
The numbers back this up: roughly half of FTSE 100 firms depend on UK and Ireland cloud regions; the other half rely on US or continental Europe. Smaller businesses skew even heavier toward UK and Ireland—meaning any regional hiccup hits them disproportionately hard.
Visibility: The Missing Layer
One of the most sobering findings in the report is how little many firms actually know about their own cloud footprint. Who manages which service? Which regions host your most revenue-critical workloads? How many seconds of downtime would cost you six figures—or more? The Cyber Monitoring Centre found that many organisations lack basic visibility into their dependencies, making risk assessment pure guesswork.
This isn’t just about logging in to your cloud dashboard and ticking boxes. Real visibility means tracking:
- Which business functions depend on which services
- How each dependency is architecturally grounded (single region? multi-AZ only?)
- What the recovery time objective actually is in practice—not on paper
- Who signs off on a failover decision, and whether they’ve run the numbers
Without this, you’re flying blind when an outage hits. And if your cloud provider issues a post-mortem while your customers are waiting for service to resume? That’s not just operational failure—that’s existential risk.
The Public Sector’s Unique Exposure
The report doesn’t shy away from the elephant in the room: Britain’s public sector remains heavily dependent on US-based cloud operators. That overlap becomes a security vulnerability when the US CLOUD Act allows federal agencies to demand data access regardless of physical location. A politically motivated disruption or legal directive could leave hospitals, schools, and emergency services scrambling.
Earlier this year, a separate investigation highlighted how UK agencies found themselves locked into US-centric platforms—switching now would mean massive migration costs and likely service degradation. The report’s authors argue this dependency creates systemic risk that regulators have yet to address in meaningful terms.
“Cloud sovereignty isn’t just about where your data lives,” Mayes told us. “It’s about who controls the kill switch. If your critical functions live on platforms that answer primarily to another nation’s legal framework, you’re making a choice—whether you admit it or not.”
Pathways to Resilience
So where do we go from here? The report isn’t one of those doom-laden think-pieces that offers no way forward. On the contrary, it suggests several concrete steps:
- Map your blast radius: Identify every critical workload and trace its dependencies back to the physical region, then assess whether that region is part of a single point of failure.
- Test failover like it’s real: Schedule outages in staging, then in production during off-peak hours. Measure recovery time and data loss—not just whether it comes back online.
- Push for transparency from vendors: Ask your cloud provider exactly how they’d handle an outage that affects their core services, not just your instances.
- Revisit insurance coverage: Does your cyber policy account for revenue loss from third-party infrastructure failure? Most don’t—but some Parametrix clients are starting to negotiate bespoke clauses.
Finally, consider that the big clouds have incentive to improve: they’re already investing in “additional ways to avoid impact from similar events.” But incentives and readiness aren’t the same thing. Until hyperscalers treat multi-region resilience as a core architectural principle—not an afterthought—the risk stays with you.
The bottom line? Digital sovereignty isn’t about going off-cloud; it’s about building in the same rigour you’d apply to your physical supply chain. Power grids don’t run on hope, and neither should your uptime strategy.