Should Cloud Be Classed as Critical Infrastructure?
madhav
Thu, 03/05/2026 – 09:53
Over the past few years, large-scale cloud outages have demonstrated just how deeply digital services are woven into the fabric of modern society. When widely used cloud platforms experience disruption, the impact extends far beyond individual applications; banking services stall, transport systems falter, and connected devices across homes, factories, and hospitals can suddenly lose functionality.
Critical Infrastructure
Chris Harris – Associate VP, Sales EngineeringMore About This Author >
Over the past few years, large-scale cloud outages have demonstrated just how deeply digital services are woven into the fabric of modern society. When widely used cloud platforms experience disruption, the impact extends far beyond individual applications; banking services stall, transport systems falter, and connected devices across homes, factories, and hospitals can suddenly lose functionality. With entire economies relying on cloud-based services, these incidents present an excellent opportunity to reassess which applications are critical and how we should rearchitect our infrastructure. A timely, increasingly unavoidable debate arises: Should the cloud be classed and regulated as critical infrastructure?
The European Regulatory Context: Cloud Under Scrutiny
The answer to that question may already be forming within the European Union’s expanding regulatory landscape, as the resilience of cloud infrastructure has become a matter of national and economic security. NIS2 Directive: Cloud computing service providers are explicitly designated as essential entities, placing them under stricter cybersecurity and incident reporting obligations. The CER Directive (Critical Entities Resilience) complements NIS2, covering operational and physical resilience across eleven critical sectors, including digital infrastructure. DORA (Digital Operational Resilience Act): In the financial sector, DORA introduces direct EU-level oversight for critical third-party ICT providers, primarily targeting hyperscalers, to mitigate concentration risk. The Data Act: The Act, which came into effect in September 2025, mandates interoperability between cloud platforms and enables seamless switching between providers, thereby reducing vendor lock-in and promoting resilience. These regulations suggest that the EU already treats cloud computing as critical infrastructure, even if the term has not been codified formally. On the other hand, the U.S. takes a more sector-based approach. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) recognises the cloud’s systemic importance but stops short of defining specific resilience thresholds or “critical outage” criteria. The bottom line is that the question is no longer if, but how such criticality should be governed and tested in practice.
Understanding the True Impact of Cloud Outages
Such outages illustrate a new kind of systemic risk. A single configuration error, region failure, or identity malfunction can simultaneously affect millions of users and multiple sectors. According to the Uptime Institute, over 50% of major data center outages now cost organisations more than $100,000 each, with one in five reporting costs surpassing $1 million. When the cloud fails, the cascade is immediate: Business continuity halts as mission-critical systems lose access to data or authentication. Supply chains stall when connected services can’t communicate. Public confidence erodes as digital services”, such as banks, utilities, and even health systems”, go offline. These effects reinforce the argument that the cloud should be recognised as a core utility requiring structured resilience standards.
Determining Criticality: A Functional Lens
While EU regulation does not label or prescribe a framework for determining ‘critical functions’, it does require entities to assess whether a function’s disruption would cause severe operational disruption, financial loss, or material damage. A ‘Critical Function Evaluation’ would be a practical approach that translates those regulatory criteria into actionable questions: If this cloud dependency fails for X hours, does it breach safety, legal, continuity, or solvency thresholds? Applying the Critical Function Evaluation framework involves mapping: Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) The blast radius of a failure (how many functions would be impacted) Concentration risk (% workloads hosted by a single provider or region) Interdependencies (identity systems, key management, or network egress paths) This function-first assessment helps distinguish between general IT services and truly critical workloads requiring enhanced resilience or diversification. To better understand this concept, let us examine two use cases.
Use Case 1: When Data Becomes Inaccessible
Data accessibility is the lifeblood of digital operations. A cloud outage can instantly render core datasets unreachable, paralysing decision-making, customer support, or even safety-critical processes. For instance, a logistics company unable to access its cloud-hosted tracking data may lose real-time visibility of shipments, while a hospital relying on SaaS medical systems may face treatment delays. To ensure the resiliency of the data accessibility critical function, the following are some considerations: Active/active multi-region deployment to maintain continuity. Local data caching or “minimum viable datasets” at the edge to sustain core operations during outages. Scheduled exports or replication to an on-prem or sovereign environment for high-priority data. External key management to ensure decryption and access control remain under business control, even during cloud disruptions. These measures embody a resilient-by-design approach, striking a balance between agility and assurance.
Use Case 2: When Identity Systems Go Down
Modern enterprises rely on federated identity to enable seamless access across apps and services. However, when an identity provider (IdP) fails, whether due to a cloud outage or misconfiguration, the impact can be catastrophic: employees are locked out, customers are unable to authenticate, and operations are frozen. In this use case, the following should be considered: Hybrid identity architecture combining cloud and on-prem federation. Break-glass accounts secured by hardware tokens for emergency access. Offline MFA options for field or OT environments. Conditional access degrade-modes, allowing limited functionality during outages. Identity resilience should now be viewed as a board-level priority, no less critical than data availability.
Building Redundancy: How Much Is Enough?
The impact of large-scale cloud outages revived the debate over single-provider dependency. For most organisations, the right model depends on risk appetite, compliance obligations, and operational needs. A practical redundancy maturity ladder would include:
- Multi-AZ or multi-region within one provider as a minimum baseline. Hot standby in a secondary region to support faster recovery. Selective multi-cloud to duplicate only critical workloads. Full multi-cloud active/active for maximum continuity, but at the highest cost.
Beyond Technology: Contracts, SLAs, and Testing
Beyond being an architecture decision, resilience is also a governance issue. Businesses should revisit: SLAs that define recovery times, region guarantees, and data residency. Exit strategies with pre-tested cloud switching and key portability. Cross-provider drills that simulate identity or data unavailability.
Thales Perspective: Resilient by Design
Thales believes that cloud’s classification as critical infrastructure is inevitable and essential. The priority now is to build digital ecosystems where resilience, sovereignty, and compliance are embedded by design. Thales helps organisations achieve this through: External Key Management & Encryption: Maintain complete control of keys and data across clouds via CipherTrust Data Security Platform, Luna HSMs, and Data Protection on Demand. Identity Resilience: Solutions like SafeNet Trusted Access and OneWelcome Identity Platform enable adaptive authentication, FIDO-based access, and hybrid identity models, providing enhanced security and flexibility. Data Sovereignty & Compliance: Align deployments with regulatory assurance levels, implement BYOK/HYOK models, and support national or sectoral sovereignty frameworks. By combining strong encryption, identity assurance, and multi-cloud governance, organisations can operate confidently no matter what happens in the cloud.
Cloud Is Already Critical. Now We Must Treat It That Way
Large-scale cloud outages remind us that when the cloud stumbles, everything built on it does too. Cloud already meets every criterion of critical infrastructure: ubiquity, interdependence, and impact. The path forward is clear: define resilience expectations, test them regularly, and ensure organisations retain control of what matters most”, their data, their identities, and their trust. In an interconnected world, resilience is the new reliability”, and it begins by recognising that the cloud is not just infrastructure. It’s the backbone of our digital society.
studio
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2026/03/should-cloud-be-classed-as-critical-infrastructure/
