Cloud computing is now a critical enabler of innovation, scalability, and operational efficiency. As of 2025, approximately 83% of financial institutions have adopted some form of cloud technology, many of which are implementing multi-cloud architectures.

The shift to the cloud is clear, not only in finance, as demonstrated by the projected growth of the global public cloud services market—from USD 773 billion in 2024 to USD 1,806 billion by 2029. Within the finance sector, this move is not just technical—it’s strategic. Banking and capital markets leaders increasingly see the cloud as a destination: a place to store and process critical data, and to access advanced software capabilities.

However, in adopting cloud, the finance sector is faced with challenges and increasing regulatory scrutiny on themes such as data sovereignty and resilience. This blog explores how these topics impact cloud strategies, and then it discusses how SCION can provide trusted, highly available connectivity for financial institutions, even in multi-cloud environments.

Challenge 1: Data sovereignty – an increasing risk in a world of heightened global tensions

The issue of data sovereignty is a top-of-mind criteria when selecting a cloud provider. When data is stored or processed across borders, institutions face tough choices between efficiency and compliance—especially under laws like the U.S. CLOUD Act, which grants access to data held by U.S. cloud providers, even if stored abroad. For European or Swiss financial institutions, this introduces significant legal and operational risk.

A KPMG-cited study found that 30% of financial firms had to alter their cloud architecture due to geographic data restrictions, and the 2024 Cybersecurity Insiders Cloud Security Report mentions how data residency represents a main barrier to adoption for 32% of organizations.

In addition to data storage at rest, data transmission is also increasingly becoming a concern in regulated industries. Data is usually encrypted; however, metadata of traffic flows can already reveal some information. In addition, traditional asymmetric encryption schemes are vulnerable to quantum computers. An attacker (e.g., an adversarial state) may harvest data now to decrypt it later, once quantum computers become available. We cover the importance of path security in a dedicated blog post.

Another relevant aspect regards jurisdictions: conflicting legal regimes may jeopardize data sovereignty. One example is when, in 2020, Microsoft was compelled by the U.S. government to provide access to customer data stored in Ireland—despite EU protections under GDPR.

Heightened global tensions imply that geopolitical risks are also a growing concern. Conversations between the EU and the U.S. over data transfers continue to escalate, making regulatory alignment more complex than ever.

Challenge 2: Concentration vs resilience

Such concentration puts critical infrastructure increasingly in the hands of a few players, creating hidden risks. For example, in July 2024, a flawed Crowdstrike update triggered a global outage, taking down banks, airports, and emergency services worldwide—proving that when everything depends on a few, fragility increases.

Dependencies on cloud service providers are increasingly seen as potential systemic risks by financial regulators, from both security and availability perspectives. In terms of third-party risk management, an ECB oversight report states: “Increasing dependence on third-party offerings, including centralised cloud technologies, opens up channels through which cyberattacks can cause stress in the financial system, even without targeting financial entities.”

To offset this risk, EU compliance regulations such as DORA require financial institutions to demonstrate resilience even during cloud service disruptions, necessitating multi-cloud or hybrid approaches.

The Internet was originally built to be decentralized—a resilient web of networks with no single point of failure. Yet in today’s cloud landscape, we see the opposite: an over-concentration of services and data flows within a few hyperscale providers, leading to a brittle digital backbone for critical infrastructure, especially in the finance sector.

Challenge 3: Connectivity – performance and availability, especially for smaller cloud players

A preferred mechanism to connect with cloud providers is to use dedicated network connections that are separate from the Internet. This is because routing data over plain Internet does not provide sufficient performance guarantees. Large hyperscalers come in an advantaged position, as they provide such connectivity on top of owned global backbones with widespread presence. Smaller players face a much higher barrier to offer similar products, lacking the same scale.

SCION: Sovereignty and security for multi-cloud strategies

SCION comes in as a hybrid between private lines and the Internet. It is multi-operator, enabling financial institutions with a multi-cloud strategy to have control over their data.

Local cloud providers can leverage resilient connectivity to their customers without the investment needed for a global backbone. SCION provides a solution through a more distributed, federated approach.

SCION connectivity provides higher guarantees than plain Internet, thanks to its built-in properties:

• Path control: Decide how and where your data travels – enabling selection of jurisdictions through which your data travels as it goes from point A to B.
• Trust domains: Ensure trusted communication across secure trust boundaries with multi-ISPs where vendor lock-in is avoided.

Switzerland’s Secure Swiss Finance Network (SSFN) is powered by SCION and handles 200 billion Swiss francs daily. Banks and financial institutions use this network to exchange critical data securely — without relying on the public Internet.

For example, our member Cyberlink offers a SCION Cloud with a partner — a solution that keeps all data and workloads entirely in Switzerland while meeting the highest security and compliance requirements. The architecture is specially designed to meet the requirements of financial service providers.

Conclusion: Build resilience, not reliance

Critical infrastructure sectors will continue embracing the cloud revolution. In these sectors, unchecked dependence on a few providers is not secure or compliant. Vendor lock-in, cross-border data exposure, and regulatory conflicts are no longer theoretical risks — they’re real.

SCION offers a verified, sovereign alternative to traditional connectivity — enabling institutions to build secure, trusted multi-cloud networks that align with evolving legal, operational, and strategic demands. SCION can help upgrade your cloud strategy to the next level.