Organisations migrating their operations to the cloud are making more and more use of the leading "Hyperscalers" - AWS, Microsoft Azure and Google Cloud. Given the size of those vendors and the breadth of cloud services they offer, it isn't necessarily surprising that regulators like the PRA (financial services) are interested in the possibility of 'concentration risk' since so many of the organisations they regulate use these Hyperscalers.

The reality is many organisations across all sectors already have a multi-cloud strategy: sourcing a mix of cloud vendors, products and services across a suite of enterprise use cases.  

So an organisation might implement an IaaS service from one vendor for core data storage, a PaaS solution from a different vendor on which its teams can develop new features and run AI and analytics, and a range of SaaS applications used in daily business operations.

Having a wide and diverse mix of cloud solutions in the enterprise diffuses any perceived risks across a wide supplier base. Never mind that many cloud solutions - particularly those provided by the Hyperscalers - offer better security, reliability and operational resilience than an organisation's own in-house or on-premises alternatives.

Hopefully the regulators looking at cloud concentration risk will appreciate the sensible, varied and somewhat self-regulating approaches many businesses already take to their cloud strategies, before determining that invasive new rules and regulations are required.